Posted on 08/19/2014 5:00:53 AM PDT by markomalley
Chinese hackers stole 4.5 million patients’ names, Social Security numbers and other personal data from the computers of one of the country’s largest hospital chains, the company said Monday — the biggest reported cyberattack ever on a U.S. health care company.
Community Health Services and its forensic expert, Mandiant, believe the attacker was an “advanced persistent threat” group from China that used highly sophisticated malware and technology, according to a filing with the Securities and Exchange Commission.
The data stolen in April and June also included patients’ addresses, birth dates and phone numbers. The thieves did not swipe credit card numbers or medical information.
Social Security numbers and other personal data are a gold mine to hackers, who can sell them to black market criminals for use in financial fraud. Complete health care records are even more valuable, bringing up to $316 per record, security experts say. The Chinese hackers may have been blocked by encryption from getting medical records during the attack, according to the experts.
Community Health Services is notifying patients and regulatory agencies as required by law, the company said in the filing. It is insured against related losses and “does not at this time expect a material adverse effect on financial results.”
The Chinese group identified in the theft typically targets intellectual property, such as medical device and equipment development data, Community Health said. Whether the hospital chain was targeted for some particular reason or became victim of an opportunistic attack based on the discovery of a vulnerable data system is unclear.
Whatever the case, the incident is a severe blow to the Tennessee-based company, which earlier this month agreed to pay $98.2 million to the federal government to resolve a fraud investigation into its Medicare and Medicaid billing practices.
Security experts were divided on the eventual cost of the breach. In 2012, the state of Utah acknowledged a health data breach affecting 750,000 Medicaid patients; it already has paid $9 million on security upgrades and credit monitoring and could spend as much as $400 million more to repair identity thefts and fraud that resulted from that attack.
In the case of Community Health, however, the breach might not represent a significant fraud risk to the affected consumers, said Al Pascual of Javelin Strategy and Research, a California security firm.
“There has not been any recent indication that Chinese hackers are actively targeting [personally identifiable information] for resale through underground forums,” he said. But he added, “The potential loss of consumer confidence is not as easily quantified.”
“We know that about one-third of affected consumers will avoid doing business with their health care provider after the provider has been breached — meaning that about 1.5 million Community Health patients might be looking for a new physician in the very near future,” Pascual said.
Larry Ponemon, director of the security-oriented Ponemon Institute, said a recent institute study estimated that each record exposure can cost as much as $201 to repair. That doesn’t mean this breach will cost Community Health $900 million, but “it could be a lot of money,” Ponemon said.
Community Health, which has 206 hospitals in 29 states, said it had been working with federal authorities since the attack to eradicate the malware and fix the security problem. The company provided no indication of harm to patients. Nor did it specify when it discovered the breach or give an estimate of the cost.
The biggest previous reported health care cyberattack, according to the Department of Health and Human Services’ Wall of Shame, was the theft of 1.06 million records from the Montana Department of Public Health and Human Services earlier this year.
HHS spokesman Bill Hall said the department’s Office for Civil Rights had not received a breach report concerning Community Health, “so at this time, we are not in a position to comment.”
Cybersecurity experts have been warning for years that the U.S. health care system, which increasingly carries large volumes of patient data in electronic form, has shabby security against hackers.
“A lot of health care entities have not enacted good practices yet,” said Deven McGraw, a partner in the health care practice of Manatt, Phelps & Phillips.
A company with many hospitals in its system could have a weak institution in the chain. “You may have a health care center that has very strong firewalls, but you’d be surprised how many IT systems don’t have that technical control,” said Dennis Seymour, chief security architect for consultancy Ellumen.
Ponemon said numerous past incidents should have been a wake-up call and that even this one “may not move the complacency meter. It’s very expensive to provide security, and it hasn’t been a priority to health care, even though patient data is the crown jewel of privacy.”
“We could all invest like the CIA,”said Russell Branzell, president of the College of Health Information Management Executives. “But nobody could afford it.”
Two weeks ago his organization launched an association of health information security executives, and it already has 110 members. “We know we need to collaborate, share best practices and learn together to assure that security is protected across the country,” Branzell said.
The fact that the hackers were from China could suggest they knew of a black market for the data or that they were probing the hospital on behalf of the Chinese government, which would have an interest in the security of U.S. health care, Ponemon said.
“If you contaminate millions of medical records, you can damage a country,” he said.
“MIssion accomplished” by the corrupt EXEMPT.
Thanks Barky...
How could that be? I mean, we did implement all of those HIPAA rules didn't we?
well, at least Community Health Services saved a few bucks on computer security costs.
just another reason for us to avoid our local Community Health hospital which always seems to be much more expensive than other providers (and also nearly killed me).
their hack was on TV assuring us that they will do everything possible to protect and support us and not let us be harmed financially. they provided their phone number for those concerned ((855) 205-6951) but it won’t go online until Wednesday.
The Joy of Electronic Health records. They should be illegal- Not required.
Can’t anyone make a program hack proof?.
” Can’t anyone make a program hack proof?.”
The only perfectly secure computer is one with no network connection, no keyboard, no display, no other connected peripherals, and no non-volatile storage. And if you want ridiculously secure, better not have powered up (because of emanation security).
Now if you can’t live with the above conditions, you can put some countermeasures in place to reduce vulnerability and mitigate risk, but you have to recognize that this what you are doing.
Code is sort of the same way.
So much for technology
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.