4.5 Million Records Stolen from Community Health by Chinese Hackers

Written by

Another day, another multi-million record data breach: national healthcare chain Community Health Systems (CHS) says that about 4.5 million pieces of “non-medical patient identification data related to our physician practice” have been stolen by what are likely Chinese hackers.

The attacks occurred in April and June, and were disclosed in a regulatory filing, according to Reuters. However, the stolen records stretch back beyond that timeframe, affecting patients who have used the company’s physicians' service over the past five years.

Franklin, Tenn.-based CHS operates 206 hospitals in 29 states. No medical/clinical information or credit card numbers were lifted, but the data included information that would be useful for identity theft: patient names, addresses, birth dates, telephone numbers and social security numbers from millions of individuals.

CHS is liable for personal patient information under the Health Insurance Portability and Accountability Act, better known as HIPAA, and has thus hired Mandiant to investigate the breach while it works with federal authorities on the heist. Mandiant said that the score appeared to make use of an unspecified, “highly sophisticated malware and technology.” That has since been eradicated from the system, and Mandiant said that it has put in place “other remediation efforts that are designed to protect against future intrusions of this type.”

And thanks to its cyber liability and privacy insurance, CHS said that the incident will likely not have a “material adverse effect on its business or financial results.”

However, that is likely a too-bullish comment, researchers said. “Community Health Systems leadership has now invested in what [they] believe has remediated the security breach at this time,” Kyle Kennedy, CTO of STEALTHbits Technologies, said in an email. “However; those remediation tools will not bring back customer confidence, brand and or market share lost due to this security breach occurring. I have said this before – remediation is always more expensive than prevention – how many more security breaches will the healthcare industry need to have published before preventative projects are green lighted proactively as opposed to reactively?”

According to Reuters, Mandiant and federal officials told CHS that the people believed to be responsible for the purloined information typically specialize in the theft of “valuable intellectual property, such as medical device and equipment development data.” This incident therefore marks a change in strategy—but one that makes sense given the relative ease of gaining access to such financially attractive information.

Kevin Mandia, Mandiant founder and COO at FireEye, told FOX Business recently that because people generally demand medical records be accessible quickly, security measures often take a backseat within healthcare organizations in general. It’s a concern that the federal government also noted back in April.

“This is another example of the ‘remediation is more expensive than prevention’ roller-coaster all organizations are embracing day-in and day-out on where to spend time, resources and money to secure their organization,” Kennedy said. “Knowing where the most valuable sensitive data and information lies within an organization is paramount to being able to present true business-risk calculation that an organization can react and invest in, to properly reduce risk.”

But yet, healthcare data – particularly in the US – has become highly prized by hackers, especially because the data can be “laundered” in a sense, and passed off as legitimately obtained.

“Data attacks are increasingly being carried out to gain access to information, which can then be used – and re-used again and again – sometimes even for marketing purposes,” David Gibson, vice president at the data governance specialist Varonis, told Infosecurity  earlier this summer. “The irony of this situation is that, although the initial breach is carried out by people operating on the wrong side of the law, once the data is passed along – usually generating money in the process – the recipients are usually unaware of its origins,” he said.

“Obviously, if someone presents you with an intimate database on several tens of thousands of people, you would be suspicious as to its origin, but if the data is only partially revealed, then it will be classed as normal – and permission-based – marketing information,” he added.

Data attacks are increasingly being carried out to gain access to information, which can then be used – and re-used again and again – sometimes even for marketing purposesDavid Gibson, Varonis

What’s hot on Infosecurity Magazine?