The cyber-attack affects doesn't affect the patients or former patients at any CHS hospitals, a spokesperson said. The computer network that was targeted by criminals contained information belonging to some patients seen at “physician practices and clinics affiliated with CHS hospitals, like Southside Regional Medical Center (SRMC) in Petersburg."
The SRMC has seven affiliated physician practices within its network of affiliated services. The CHS also operates hospitals in Emporia and Franklin.
Hackers have gained access to patient names, Social Security numbers, physical addresses, birthdays and telephone numbers. The large data breach puts these people at heightened risk of identity fraud. That allows criminals open bank accounts and credit cards on their behalf, take out loans and ruin personal credit history.
A news release from Southside Regional Medical Center Monday afternoon stated the transferred data did not include patient medical or clinical information or credit card information.
Community Health Systems hired cybersecurity experts at Mandiant to consult on the hack. They have determined the hackers were in China and used high-end, sophisticated malware to launch the attacks sometime in April and June this year.
The FBI said it’s working closely with the hospital network and “committing significant resources and efforts to target, disrupt, dismantle and arrest the perpetrators.”
Federal investigators and Mandiant told the hospital network those hackers have previously been spotted conducting corporate espionage, targeting valuable information about medical devices.
But this time, the hackers stole patient data instead. Hackers did not manage to steal information related to patients’ medical histories, clinical operations or credit cards.
Still, the lost personal information is protected by the Health Insurance Portability and Accountability Act, the federal health records protection law. That means patients could sue the hospital network for damages.
As for exposed victims protecting themselves? There’s little they can do. They won’t be truly protected from fraud until numerous government agencies, credit bureaus, banks, data brokers and others update their systems.
Making matters worse, Community Health Systems said it will provide notification to the 4.5 million patients “as required by federal and state law,” which is inconsistent and varies by region. There is no federal data breach law that requires timely and transparent disclosure that sensitive personal information was lost.
Shares of the publicly-traded Community Health Systems edged lower Monday morning. But the company tried to stem worries about the damages in a filing Monday with the Securities and Exchange Commission, saying that it “carries cyber/privacy liability insurance to protect it against certain losses related to matters of this nature.”
The hospital network said that just before Monday’s announcement, it managed to wipe the hackers’ malware from its computer systems and implemented protections to prevent similar break-ins.
Community Health Services said in a statement given to the US Security and Exchange Commission that they will be offering identity theft protection services to those affected by the attack.