Community Health Systems data breach impacts SMH clinics

-A A +A

Hackers steal personal information of nearly 4.5 million patients

By Reece Murphy

The personal data of patients treated at Springs Memorial Hospital-associated clinics was among the information stolen in a massive Community Health Systems computer breach announced by the company Monday, Aug. 18.

Springs Memorial Hospital is one of 206 hospitals Community Health Systems owns in 29 states.

According to a company filing with the U.S. Securities and Exchange Commission, hackers stole sometime between April and June the names, Social Security numbers, addresses, birthdays and telephone numbers of 4.5 million patients.

The theft, which the company said did not include credit card numbers or medical records, affects the personal information of patients referred to or seen by doctors and clinics affiliated with Community Health Systems and its hospitals over the past five years.

Hospital officials declined to comment on the breach directly, but confirmed the theft included the personal information of patients seen over the past  half-decade at several clinics affiliated with the hospital.

The Lancaster Clinic Corporation clinics include Comprehensive Urology, General Surgery of Lancaster, Lancaster Neurology, Lancaster Orthopaedics and Sports Medicine, Lancaster Pediatrics and the now closed Palmetto Family Medicine of Kershaw.

“We take very seriously the security and confidentiality of private patient information and we sincerely regret any concern or inconvenience this event may cause for our patients,” the release said. 

“Though we have no reason to believe that this data would ever be used, all affected patients are being notified by letter and offered free identity theft protection.”

SMH Director of Community Relations Ashley Shannon said affected patients should begin receiving notification letters by Aug. 30.

In its filing, Community Health Services said it believes the theft was conducted by a group of Chinese hackers that typically seeks to steal intellectual property information such as medical device and equipment development data.

The company said the computer forensic company Mandiant removed the malicious software used in the attack and protected its system against future attacks. The FBI is investigating.

According to the Reuters news agency, the Chinese hacking group believed responsible for the theft is “APT 18,” a group with suspected links to the Chinese government and known for stealing intellectual property from large American industries.

Reuters said Social Security numbers and other personal information such as the data stolen in the Community Health Services breach is most often sold on underground exchanges for use by others in identity theft.

The Community Health Services theft is the largest cybertheft of patient information since 2009 when the U.S. Department of Health and Service began tracking such breaches, the news agency said.

The hospital system breach comes nearly two years after cybercriminals hacked S.C. Department of Revenue computers and stole 3.8 million tax returns with Social Security and bank account information and 387,000 credit and debit card numbers.

Contact reporter Reece Murphy at (803) 283-1151