A group of advanced hackers in China that generally targets intellectual property stole personal data from Community Health Systems in an apparently unprecedented breach.
The health-care provider said in a regulatory filing it believes hackers based in China absconded with 4.5 million pieces of “non-medical patient identification data related to [its] physician practice.” The attacks occurred in April and June.
The dataset was made up of patient names, addresses, birthdates, telephone and Social Security numbers from individuals who used or were referred to the physicians' service over the past five years. It didn’t include medical or clinical information, or credit card numbers. Still, the information is considered protected under Health Insurance Portability and Accountability Act, better known as HIPAA.
Mandiant Managing Director Charles Carmakal told FOX Business the attack was the “first confirmed compromise where [advanced hackers in China] stole data like this.” While he couldn’t name the specific group accused of breaking into Community Health’s systems, he said the hackers are “known for stealing intellectual property related to health-care technology or other information that can help the Chinese government help residents of the country.”
Carmakal said Community Health hired Mandiant in June of this year, at which point the FireEye (FEYE) unit “conducted a thorough investigation of their network to understand the compromise.”
Mandiant determined the perpetrators used highly sophisticated malware and technology to break through Community Health’s computer defense systems. Carmakal added the group is known for “very creative attacks and techniques to break network defense.”
The attack is a departure from many recent breaches in which hackers, many of whom reside in Eastern Europe, snag personal information and sell it on the cyber black market.
"If intellectual property were the target, it’s possible (but not reported) that much like Target was breached via an HVAC contractor, perhaps there was more access to be had through medical networks to additional data and/or [intellectual property]," said Mark Stanislav, security evangelist at Duo Security, a provider of two-step authentication systems. "We may just be hearing the beginning of this story as further forensics and analysis occurs."
Community Health said it has “eradicated” the malware from its computer systems, and implemented “other remediation efforts that are designed to protect against future intrusions of this type.” It said it has cyber liability and privacy insurance and doesn’t think the hack will have a “material adverse effect on its business or financial results.”
Affected customers will be offered free identity theft services.
The shares jumped more than 1% in afternoon trading Monday, extending year-to-date gains of 30%.
Kevin Mandia, who founded Mandiant and is now COO at FireEye, told FOX Business earlier this month that the health-care sector is one of the most vulnerable to attacks. He said the reason is because people generally demand medical records be accessible quickly, so barriers are sometimes set to low levels to facilitate the process of moving them.
The Federal Bureau of Investigation issued a similar warning to health-care providers in April, according to a report from Reuters. A private notice obtained by the newswire said, “the health-care industry is not as resilient to cyber intrusions compared to the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely.”