A cyberattack suspected to have originated in China stole Social Security numbers and other personal data for 4.5 million patients whose records were in Community Health Services Inc.’s system, the company said Monday.
The data breach included the names, addresses, birth dates, telephone numbers and Social Security numbers of patients who were referred for or received services from doctors affiliated with the hospital group in the last five years. It did not include patient credit card, medical or clinical information, the company said in regulatory filings.
Tennessee-based Community Health is one of the largest hospital groups in the U.S., operating 206 hospitals in 29 states. It has three hospitals in California: Barstow Community Hospital, Fallbrook Hospital and Watsonville Community Hospital.
John Rader, a spokesman for Barstow Community Hospital said in an email that patients of that facility were not affected. The breach affected only affiliated outpatient clinics, he said, and the Barstow hospital did not have any such clinics at the time of the breach.
“This clinic data breach has no impact on Barstow Community Hospital patients, but it has further strengthened our security network,” Rader said.
Officials at the Fallbrook and Watsonville facilities did not immediately respond to a request for comment.
The attack is largest of its kind involving patient information according to a U.S. Department of Health and Human Services website that began tracking such breaches in 2009. A Tricare Management Activity data loss in 2011 affected nearly 5 million people, but it was not a cyber attack.
Community Health said the attack on its systems occurred in April and June and appears to be the work of a sophisticated hacking group in China, according to its forensic investigator, FireEye Inc.’s Mandiant unit.
Reuters reported in April that the FBI had warned healthcare providers in a private notice that the industry’s protections were lax compared with the retail and financial sectors. Healthcare data are more valuable on the black market, Reuters reported, because they can be used to access bank accounts or obtain prescriptions for controlled substances.
Community Health said that it has removed the malicious software that enabled the attack and has taken other measures to prevent similar intrusion attempts in the future.
The company is notifying patients and regulatory agencies as required by federal and state law, it said in Monday’s filing. It said it will also offer identity theft protection services for individuals affected by the breach.
The hospital group said it was insured against a privacy breach of this type and does not expect material adverse affects on its finances as a result of remediation expenses, regulatory inquiries, litigation and other liabilities.
Community Health’s stock closed at $51.66 a share on the New York Stock Exchange Monday, up 66 cents from Friday’s close.