AAPL Stock: 117.81 ( -0.22 )

Printed from

Community Health Systems admits breach, 4.5 million patients affected

updated 06:34 pm EDT, Mon August 18, 2014

Personal information including social security numbers stolen, no medical information

Today, in a filing with the United States Securities and Exchange Commission (SEC), medical services provider Community Health Systems (CHS) revealed that it was the victim of a cyber attack that spanned a three-month period. According to the filing information, personal information from around 4.5 million patients was stolen, including Social Security numbers.

The company believes that the attack started in April and ran until June, but didn't give specific dates in the SEC document. According to the filing, the party responsible for the attack on the company's computer systems is believed to be a "Advanced Persistent Threat" group out of China. The group used "highly-sophisticated malware and technology" to carry out the attack. CHS learned of the attack source after it brought on Mandiant, a subsidiary of FireEye, to look into a possible breach.

While CHS has been working with Mandiant and federal law enforcement, the damage is found to be quite widespread. Typically, the hacking group involved seeks information regarding intellectual property, but evidence was found that the data stolen consisted of "non-medical patient identification data relating to the company's physician practice operations."

Patients that have dealt with CHS, which is one of the largest hospital operators in the United States, in the last five years are said to be affected. This includes any patients that received services or were referred to affiliated doctors. Currently, there are 206 hospitals in the network, across 29 states. The breach marks the largest theft from the healthcare industry since the attack on the Montana Department of Public Health in 2009.

Information that was stolen from for the approximately 4.5 million patients consisted of data that would generally be protected under the Health Insurance Portability and Accountability Act (HIPAA). CHS states that the information includes "patient names, addresses, birthdates, telephone numbers and Social Security numbers." However, no medical or clinical information was obtained, nor were any credit card numbers or other payment data involved.

CHS indicates that they are looking to prosecute the responsible parties, but if the attackers are confirmed to be in China, it's highly unlikely that anything would happen. The United States and China have a strained relationship when it comes to hacking and espionage, especially when demands are made for legal action.

Identity theft services are being offered to the patients affected by the data theft. CHS has already started notifying patients and other regulatory agencies.

by MacNN Staff



  1. Jeff Simpson

    Fresh-Faced Recruit

    Joined: 02-23-07

    PATIENTS maybe?

  1. shawnde

    Fresh-Faced Recruit

    Joined: 04-01-08

    The headline should say "patients" instead of "patents" :-)

  1. Jordan Anderson

    Electronista Staff

    Joined: 06-04-14

    That it should. Thanks folks.

Login Here

Not a member of the MacNN forums? Register now for free.


Network Headlines

Follow us on Facebook


Most Popular


Recent Reviews

Ultimate Ears Megaboom Bluetooth Speaker

Ultimate Ears (now owned by Logitech) has found great success in the marketplace with its "Boom" series of Bluetooth speakers, a mod ...

Kinivo URBN Premium Bluetooth Headphones

We love music, and we're willing to bet that you do, too. If you're like us, you probably spend a good portion of your time wearing ...

Jamstik+ MIDI Controller

For a long time the MIDI world has been dominated by keyboard-inspired controllers. Times are changing however, and we are slowly star ...


Most Commented