Indiana Security & Privacy Network

Sophisticated Chinese Hackers Infiltrate Community Health Systems — 4.5 Million Patients Affected

This one is unusual because it is the second largest HIPAA breach reported thus far, and the only one thus far involving sophisticated criminal hackers who are reportedly based out of China.  The covered entity is Community Health Systems (CHS), which is headquartered in Tennessee and has hospitals in 29 states.  Community filed information about the breach with the US Securities and Exchange Commission (SEC) on August 18, 2014, and I’ve attached a copy of that report.

The report filed with the SEC states the hackers breached the CHS computer network’s security in April and June 2014. CHS reported that the hackers used “highly sophisticated malware and technology” to bypass security measures and successfully copy and transfer data outside CHS.

The compromised data included names, addresses, birthdates, telephone numbers and social security numbers of patients who were referred for or received services from physicians affiliated with CHS during the last five years.
CHS also reported that it engaged a forensic expert to investigate the incident and to assist CHS with remediation efforts. The malware was removed from all CHS systems, according to the report. CHS also stated that it has implemented new security measures designed to protect against future attacks.

To date, the largest HIPAA breach affected 4.9 million individuals and was reported by TRICARE in 2011.  Including the CHS breach, there have been seven breaches affecting more than one million individuals since breach reporting to HHS became mandatory in 2009.

The CHS breach highlights the risk of advanced persistent threats, as well as the challenges that organizations face in identifying them.  As you know, for large healthcare organizations, the challenge is further compounded by the number of medical professionals with access to the systems and the interconnectivity of multiple systems, including patient portals, that flow into the electronic health record system.

Contributed by InSPN Board Member, Joan Antokol