CHS is latest in line of data breaches, this cyber theft affecting nearly 5 million patients spanning last five years
Nearly 5 million patients were affected by the Chinese-led data breach targeting Franklin, Tenn.-based Community Health Systems Inc. (NYSE: CYH), the nation’s largest hospital group by number of beds.
Florida patients represented the largest group of cyber theft victims. The state has the most CHS hospitals, with 26 centering primarily on Orlando and Tampa Bay markets and cities nearby.
CHS reported that hackers bypassed the company's security measures, probably in April and June, according to a statement the company filed with the Securities and Exchange Commission (SEC).
“It’s certainly one of the larger breaches, and certainly one of the bigger (ones) in healthcare space,” Crowdstrike CEO George Kurtz told Bloomberg. “It’s just another indicator of what we see on a daily basis, just how active the Chinese have been in targeting companies in the U.S. This breach is a little bit different because they’re targeting healthcare information and user information, as opposed to just stealing intellectual property, which they’re very good at.”
CHS contracted FireEye Inc’s Mandiant forensics unit to help with damage control. According to the company, data affected in the breach was non-medical: no credit or debit card information was derived. However, the theft included sensitive information –
names, addresses, birthdates, contact information and Social Security numbers – of patients who were referred or received services from doctors affiliated with the company since 2009.
Vectra Networks CEO Hitesh Sheth cautioned that data breaches are more common than most people believe.
“More and more devices are getting connected, and the reality is if you’re connected, the odds of being hacked are pretty good,” he told Bloomberg. “Every network is breached. Against this backdrop, what’s really interesting about what Community Health Systems has done: they’re talking about bolstering their defenses ... acquiring the services of (Mandiant) to do something on the forensic front. Really, what we should be focused on is not only defending ourselves, which we should, not just worrying about what happened after the fact, but we can identify attacks as they’re happening and understand where they begin real time, so we can take preventive steps to limit the damage.”
Specifically, the CHS information breach resulted from the Heartbleed internet bug, a major glitch in OpenSSL encryption software that’s commonly used to secure website and technology products including cell phones, data center software, and telecommunications equipment.
Systems are vulnerable to data theft by hackers, who can attack them without leaving a trace. Recently, the bug had been used to steal nearly 1,000 social insurance numbers from the Canada Revenue Agency website, prompting the government agency to shut down online tax filing for days during tax season in April.
TrustedSec CEO David Kennedy told Reuters that Juniper Networks’ equipment was used by hackers to seed the Heartbleed bug.
Tom Turner, an executive at BitSight Technology, which published a 2014 cybersecurity report highlighting the healthcare industry as one of the worst at protecting against breaches, said patients whose records have been hacked should remain vigilant about opening fishy emails with suspicious attachments.
“Any time you’re offering any type of information you consider personal, private or sensitive, you have to be aware that the minute you provide it to a third party, you're reliant on them to protect it,” said Burnette. But, he quickly added, “if you’re in need of life-saving medical care, you’re not going to stop and say, ‘Hey, before you start to operate, can you tell me if you’re going to protect my information?’”
The very public cyber attack hit CHS just as it resolved a Department of Justice investigation, and announced second quarter net operating revenues of nearly $5 billion.
Last year, CHS acquired dozens of hospitals from distressed Health Management Associates, including Bayfront in St. Petersburg and community hospitals in west central and southwest Florida.