Hackers steal HIPAA-protected info of 4.5 million people from hospital network

Share this content:


Long-term care and other provider types already have been on the alert for large-scale computer breaches, and their concerns likely will be stoked by news that one of the nation's largest hospital organizations has been hacked. The personal information of about 4.5 million patients was compromised in the cyber-attack, Community Health Systems announced in a regulatory filing Monday.

The infiltrations took place in April and June, CHS believes. It engaged a forensic expert, Mandiant, which believes the attack was launched from China. The hackers apparently used sophisticated malware usually used to steal intellectual property, such as medical device development information. The attack did not compromise this type of data, but did breach confidential patient information protected by the Health Insurance Portability and Accountability Act, CHS stated.

The information did not include credit card or medical data, but did include names, addresses, birth dates and Social Security numbers, according to the hospital group.

CHS says it has removed the malware and reported the breach to authorities. It is working with federal investigators and will offer identity theft protection services to affected individuals. The breach could lead to “remediation expenses, regulatory inquiries, litigation and other liabilities,” but is not likely to have a “material adverse effect” on the business or its financial results, according to the Form 8-K filing.

CHS has 206 affiliated hospitals in 29 states. It recently was in the news for an unrelated matter, after it reached a $98 million settlement with the federal government over allegations that it increased reimbursements by admitting people as inpatients rather than keeping them in observation status.