A major American hospital company announced today that a cyberattack launched from China breached the private records of 4.5 million patients earlier this year.
The company, Franklin, Tenn.-based Community Health Systems Inc., said patients’ addresses, phone numbers, and Social Security numbers had been stolen, but that payment information and actual medical records were unaffected. The revelation, reported by Reuters, surfaced in a required regulatory filing.
Community Health Systems, which is the largest for-profit hospital company in the U.S., did not allege that the attacks in April and June were the work of the Chinese government. The company worked with security consultants at Mandiant, a subsidiary of FireEye, to analyze the hack, and the Mandiant consultants eventually linked it to a specific Chinese hacker group.
CHS and Mandiant “believe the attacker was an ‘Advanced Persistent Threat’ group originating from China who used highly sophisticated malware and technology to attack the Company’s systems,” the company explained in SEC Form 8-K, filed today.
Tomi Galin, a spokeswoman for CHS, told Reuters that the hack had not targeted medical technology specifications or other intellectual property data, which is often the primary target of Chinese state-sponsored hacking.
The U.S. government certainly believes that the Chinese are keenly interested in gaining access to sensitive data like that owned by CHS. On May 19, the Justice Department filed the first-ever criminal indictment against members of a foreign government, alleging that five agents of the Chinese military had hacked into key American industrial systems. And on July 11, the government filed charges against Su Bin, a Chinese aviation executive, alleging that he had stolen industrial secrets from American military contractors.
According to Forbes, CHS has liability insurance for data breaches and will use it to offer identity protection services to patients whose records were compromised.
Photo via Intel Free Press/Flickr (CC BY 2.0)