PHOTO GALLERY: Local kids and pets dressed up for Halloween (IT’S NOT TOO LATE TO SUBMIT YOUR PHOTOS HERE)

Hackers hit 200 hospitals in US, steal data on 4.5 million patients – 4 hospitals hit in Washington

Hackers have taken 4.5 million Social Security numbers from patients who attended any one of Community Health Systems' 206 hospitals this year.

Hackers have taken 4.5 million Social Security numbers from patients who attended any one of Community Health Systems’ 206 hospitals this year.

NEW YORK (CNNMoney) — Community Health Systems, which operates 206 hospitals across the United States, announced on Monday that hackers recently broke into its computers and stole data on 4.5 million patients.

Hackers have gained access to their names, Social Security numbers, physical addresses, birthdays and telephone numbers.

Anyone who received treatment from a network-owned hospital in the last five years — or was merely referred there by an outside doctor — is affected.

The large data breach puts these people at heightened risk of identity fraud. That allows criminals open bank accounts and credit cards on their behalf, take out loans and ruin personal credit history.

The company’s hospitals operate in 28 states but have their most significant presence in Alabama, Florida, Mississippi, Oklahoma, Pennsylvania, Tennessee and Texas.

In Washington State the company operates hospitals in Yakima and Spokane counties including Yakima Regional Medical and Cardiac Center, Toppenish Community Hospital, Deaconess Hospital and Valley Hospital.

Community Health Systems hired cybersecurity experts at Mandiant to consult on the hack. They have determined the hackers were in China and used high-end, sophisticated malware to launch the attacks sometime in April and June this year.

The FBI said it’s working closely with the hospital network and “committing significant resources and efforts to target, disrupt, dismantle and arrest the perpetrators.”

Federal investigators and Mandiant told the hospital network those hackers have previously been spotted conducting corporate espionage, targeting valuable information about medical devices.

But this time, the hackers stole patient data instead. Hackers did not manage to steal information related to patients’ medical histories, clinical operations or credit cards.

Still, the lost personal information is protected by the Health Insurance Portability and Accountability Act, the federal health records protection law. That means patients could sue the hospital network for damages.

As for exposed victims protecting themselves? There’s little they can do. They won’t be truly protected from fraud until numerous government agencies, credit bureaus, banks, data brokers and others update their systems.

Making matters worse, Community Health Systems said it will provide notification to the 4.5 million patients “as required by federal and state law,” which is inconsistent and varies by region. There is no federal data breach law that requires timely and transparent disclosure that sensitive personal information was lost.

Shares of the publicly-traded Community Health Systems edged lower Monday morning. But the company tried to stem worries about the damages in a filing Monday with the Securities and Exchange Commission, saying that it “carries cyber/privacy liability insurance to protect it against certain losses related to matters of this nature.”

The hospital network said that just before Monday’s announcement, it managed to wipe the hackers’ malware from its computer systems and implemented protections to prevent similar break-ins.

The company plans to offer identity theft protection to the 4.5 million victims of the data breach.

CNN’s Evan Perez contributed to this report.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

6 comments

  • Hardy Glennson

    The perpetrators originate in Nanning, China.They are Chinese government sponsored. I’ve been monitoring them for quite some time. They are continually probing the west for security holes. It is done via sophisticated software without much human interaction at all. They uncover the security holes and exploit.

  • Simon S

    “There is no federal data breach law that requires timely and transparent disclosure that sensitive personal information was lost”

    The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information. Similar breach notification provisions implemented and enforced by the Federal Trade Commission (FTC), apply to vendors of personal health records and their third party service providers, pursuant to section 13407 of the HITECH Act

  • ChinaMarine (@China_Marine)

    STOP Using WINDOWS!

    All these data breaches are because someone was using windows, not only that, their servers are ALL probably a Version of MS Server…

    It all starts when someone opens an attachment (ON A WINDOWS MACHINE!!!) and that someone was probably a system admin guy (IDIOT) and then that was all that was needed…

    YOU Don’t have these problems on Linux systems… Just because, things are built from the ground up with SECURITY in mind… Not like MS, which has millions of holes, and they keep trying to plug them all, but they never can, nor will they ever…

  • Kelly

    People should write to all three credit bureaus and request that their credit be locked permanently. It’s free to do in most states and it’s simple to unlock it when you need it. Don’t waste money on credit monitoring, just lock your credit and be in control of your own identity.