Community Health Systems, one of the biggest U.S. hospital groups with 206 hospitals in 29 states, recently said that the personal data, comprising names and addresses, of about 4.5 million patients were stolen by hackers from its computer network, likely in April and June.
The stolen data included patient names, home addresses, birth dates, telephone numbers and Social Security numbers. It did not include any medical or clinical information or any credit card numbers.
Social Security numbers and other sensitive data are usually stolen by cybercriminals for the purpose of selling, which is then used by others in identity theft. It further helps criminals to open bank accounts and credit cards on behalf of these patients, take out loans and ruin their personal credit history.
However, the information was considered protected under the Health Insurance Portability and Accountability Act (HIPAA). Now that the data is stolen, state attorneys general can sue Community Health Systems for damages. Under state laws, patients themselves can sue the hospital network for negligence.
Community Health Systems said in a filing with the U.S. Securities and Exchange Commission on Monday, that the attacker was an “Advanced Persistent Threat” group, probably based in China. It used “highly sophisticated technology to attack the company’s network,”
Security experts say that the hacking group, known as “APT 18″ has stolen the data and they may have links to the Chinese government. Moreover, as per experts, “APT 18” typically targets companies in the aerospace and defense, construction and engineering, technology, financial services and healthcare industry.
On this, the Chinese embassy in Washington said that it wasn’t aware of the attack. “Chinese laws prohibit cybercrimes of all forms and Chinese government has done whatever it can to combat such activities,” Geng Shuang, an embassy spokesman, said in an e-mail. “Making groundless accusations at others is not constructive at all and does not contribute to the solution of the issue.”
The hospital network said that just before the announcement, it managed to wipe the hackers’ malware from its computer systems and employed protections to prevent similar break-ins. Additionally, it is also informing patients about the attack and will be providing identity theft protection services to them.
All said and done, but the reality cannot be ignored that unfortunately, large-scale data breaches like this have become pretty normal these days. And it is the common person who pays for it at the end.
