AAPL Stock: 110.38 ( + 0.8 )

Printed from

Community Health Systems admits breach, 4.5 million patients affected

updated 06:34 pm EDT, Mon August 18, 2014

Personal information including social security numbers stolen, no medical information

Today, in a filing with the United States Securities and Exchange Commission (SEC), medical services provider Community Health Systems (CHS) revealed that it was the victim of a cyber attack that spanned a three-month period. According to the filing information, personal information from around 4.5 million patients was stolen, including Social Security numbers.

The company believes that the attack started in April and ran until June, but didn't give specific dates in the SEC document. According to the filing, the party responsible for the attack on the company's computer systems is believed to be a "Advanced Persistent Threat" group out of China. The group used "highly-sophisticated malware and technology" to carry out the attack. CHS learned of the attack source after it brought on Mandiant, a subsidiary of FireEye, to look into a possible breach.

While CHS has been working with Mandiant and federal law enforcement, the damage is found to be quite widespread. Typically, the hacking group involved seeks information regarding intellectual property, but evidence was found that the data stolen consisted of "non-medical patient identification data relating to the company's physician practice operations."

Patients that have dealt with CHS, which is one of the largest hospital operators in the United States, in the last five years are said to be affected. This includes any patients that received services or were referred to affiliated doctors. Currently, there are 206 hospitals in the network, across 29 states. The breach marks the largest theft from the healthcare industry since the attack on the Montana Department of Public Health in 2009.

Information that was stolen from for the approximately 4.5 million patients consisted of data that would generally be protected under the Health Insurance Portability and Accountability Act (HIPAA). CHS states that the information includes "patient names, addresses, birthdates, telephone numbers and Social Security numbers." However, no medical or clinical information was obtained, nor were any credit card numbers or other payment data involved.

CHS indicates that they are looking to prosecute the responsible parties, but if the attackers are confirmed to be in China, it's highly unlikely that anything would happen. The United States and China have a strained relationship when it comes to hacking and espionage, especially when demands are made for legal action.

Identity theft services are being offered to the patients affected by the data theft. CHS has already started notifying patients and other regulatory agencies.

by MacNN Staff



  1. Jeff Simpson

    Fresh-Faced Recruit

    Joined: 02-23-07

    PATIENTS maybe?

  1. shawnde

    Fresh-Faced Recruit

    Joined: 04-01-08

    The headline should say "patients" instead of "patents" :-)

  1. Jordan Anderson

    Electronista Staff

    Joined: 06-04-14

    That it should. Thanks folks.

Login Here

Not a member of the MacNN forums? Register now for free.


Network Headlines

Follow us on Facebook


Most Popular


Recent Reviews

Polk Hinge Wireless headphones

Polk, a company well-established in the audio market, recently released a new set of headphones aimed at the lifestyle market. The Hin ...

Blue Yeti Studio

Despite being very familiar with Blue Microphones' lower-end products -- we've long recommended the company's Snowball line of mics ...

ZTE Spro 2 Smart Projector

Home theaters are becoming more and more accessible these days, but maybe you've been a bit wary about buying a home projector. And h ...


Most Commented