Community Hospital Systems (CHS), which operates just over 200 hospitals in 29 states, reported a data breach impacting about 4.5 million people on Monday. The incident, blamed on actors in China, was made public via an 8-K filing with the U.S. Securities and Exchange Commission.
The 8-K itself was brief, offering few details on the incident.
However, the report stated that CHS believes that the network compromise occurred in April and June of 2014. Once discovered, CHS hired Mandiant (a FireEye Company), who speculated that the attacker was part of a group in China. How the attacker was able to plant the undisclosed malware onto the CHS network was not disclosed in the 8-K filing.
"The attacker was able to bypass [CHS'] security measures and successfully copy and transfer certain data outside [CHS]," the 8-K explained.
Law enforcement added to that profile, telling CHS that the intruder has typically sought valuable IP, such as device and equipment data.
"However, in this instance the data transferred was non-medical patient identification data related to [CHS'] physician practice operations and affected approximately 4.5 million individuals who, in the last five years, were referred for or received services from physicians affiliated with [CHS]," the 8-K continued.
Because the compromised information is governed under HIPAA, as it included names, addresses, dates of birth, phone numbers, and Social Security Numbers.
CHS has begun the process of notifying everyone affected by the breach and offer ID protection services.
"Obtaining personal information such as social security numbers, birth dates and physical addresses is similar to having a skeleton key which can open up many doors for someone nefarious. It can help create bogus accounts, can be sold, or in some cases, used as a form of currency," commented David Hobbs, Director of Security Solutions at Radware.
When asked if Radware disagreed with the assessment offered to CHS by Mandiant, Hobbs said no, but added that they're surprised to see this type of attack from alleged Chinese hackers.
"We don’t disagree with their findings – but we are surprised to see this type of attack vector from Chinese hackers. The theft of personal data is more indicative of an organized crime group and not one that normally conducts corporate espionage. What is also interesting to note is how this information wasn’t used for ransom purposes. Fines levied against data breaches can cost an organization $1.5 million per instance, which would force any business to be in a very precarious situation."
Towards the end of the SEC filing, CHS stated that - despite the large number of records and potential source of attack - they don't believe this incident will have a large impact on their business.
"[CHS] carries cyber/privacy liability insurance to protect it against certain losses related to matters of this nature. While this matter may result in remediation expenses, regulatory inquiries, litigation and other liabilities, at this time, the Company does not believe this incident will have a material adverse effect on its business or financial results."
A copy of the 8-K filing is available online.