US hospital group Community Health Systems has said that it was the victim of a state-sponsored cyber attack and has seen 4.5 million patient records stolen.
Pointing the finger at China, Community Health Systems said that the hacking group known as “APT 18” were to blame, and may have links to the Chinese Government. In the attack, Social Security numbers and other personal data were taken, according to Reuters.
The personal data included names, addresses, birth dates and telephone numbers of people who were referred or received services from doctors affiliated with the hospital group in the last five years, the company said in a regulatory filing.
CrowdStrike Chief Technology Officer Dmitri Alperovitch said his firm has seen “APT 18″ targeting human rights groups and chemical companies, and commented that they “are of above average skill” among Chinese hackers.
A company filing confirmed that the attack occurred between April and June this year. The attacker was able to bypass the company’s security measures and successfully copy and transfer certain data outside the company, it said, and completed eradication of the malware from its systems and finalised the implementation of other remediation efforts that are designed to protect against future intrusions of this type.
Jonathan French, security analyst at AppRiver, said: “This is a pretty big deal. Healthcare systems seem to be getting a closer eye on them by attackers, this may be due to each healthcare provider/network possibly having different standards to information security (some maybe more lax than others).
“Ignoring that it was a healthcare breach and looking at the data, this is similar to most other breaches. The stolen data didn’t appear to have anything healthcare specific to it from what they have said and the other data alone can do damage, but having valid social security numbers and the other information tied to the numbers can possibly cause a lot of damage. With 4.5 million of these, I imagine this information, if sold, could be pretty profitable for the attackers.”
Community Health said it is now notifying patients and regulatory agencies, as required by law, and it as insured against such losses and does not at this time expect a material adverse effect on financial results.
Philip Lieberman, president of Lieberman Software, said: “The complete and utter disregard for security by the company is reflected in this statement that ‘It also said it is insured against such losses and does not at this time expect a material adverse effect on financial results.’
“The unfortunate reality is that most (but not all) of the healthcare providers have little concern for nor have they invested in IT security. There is no incentive for them to invest, nor is there any material consequence of their failure to protect their infrastructure. Some health providers with excellent reputations for quality and caring do make a substantial effort in IT security, but the sad fact is that one can probably make a strong correlation between the quality of health care of a hospital and their investments in IT security.
“As I have said many times before, HIPAA has had little to no effect in protecting patients and has been used as a brutal and cruel
tool to control access to records by hospitals that act more as body snatchers to make sure competitors don’t care for their patients in an emergency, rather than compassionate care givers. HIPAA has done little to nothing to protect patients in the real world in IT or other circumstances.”