On Monday, August 18th, Community Health Systems (CHS) reported that it had been the victim of a cyber attack from a Chinese hacking group named “APT 18”, a group alleged to have ties to the Chinese government. APT 18 successfully stole a large quantity of PHI data, including social security numbers, contact information, and other personal information from 4.5 million patients. This stolen information did not contain medical data (such as patient records), but since it did contain PHI, the breach is most-certainly a violation of HIPAA. In fact, with 4.5 million patients affected, it qualifies as the largest HIPAA breach in history.
CHS, using liability insurance dedicated for this purpose, had provided identity theft protection for the affected patients. In a breach of this nature, where social security numbers and contact information is stolen, identify theft is the greatest risk to patients whose data has been compromised. CHS is one of the leading providers in the field of medical health care, second only to Hospital Corporation of America (HCA) in size. The Tennessee-based firm operates 206 hospitals in 28 different states. However, in April of 2014, the FBI issued an alert to the healthcare industry in regards to cyber threat readiness. Healthcare organizations lagged behind many other industries, despite the sensitive nature of possessing PHI.
According to many sources, attacks from China are very common in healthcare IT, claiming over a million attempts per day in an attempt to breach the network. Many cyber criminals work to compromise health IT services to gain access to proprietary information and software related to medical devices. Oftentimes this data is in demand on the black market. However, after compromising a network, many attackers will simply archive anything to which they can gain access. Many medical device manufacturers have seen intrusions into their networks in early 2013. Once again, these attacks are reputed to have come from China and lasted several months. These groups are known to establish access and prevent detection long enough to return many times. Forbes.com reports 804 breaches of Protected Health Information since 2009 alone.
CHS has reported that they are working to cooperate with federal law enforcement to both eradicate the malware that facilitated the breach in the first place, and to prosecute the parties responsible.