Nearly 5 million patients covered under one hospital operator had personal medical data stolen by hackers, the company announced.
Community Health Systems Inc. said Monday that personal data, including patient names and addresses, of roughly 4.5 million people were stolen by hackers from its computer network, likely in April and June, according to Reuters.
The Tennessee-based company said the data, considered protected under the Health Insurance Portability and Accountability Act, also included Social Security numbers, birth dates and telephone numbers of patients who were referred for or received services from doctors affiliated with the hospital group in the last five years.
Community Health Systems affiliates own, operate or lease 206 hospitals in 29 states with approximately 31,100 licensed beds.
The hackers did not get their hands on patient credit card or medical information, the company said in a regulatory filing. Mandiant, a forensic expert shop hired by the hospital operator, said it believes the group originated from China, according to Knox News.
According to Mandiant and federal authorities, hackers have typically sought valuable intellectual property, such as medical device and equipment development data, but individuals should still be concerned about their data. In a report last year, Dell SecureWorks highlighted the underground market for pieces of health insurance information, ranging from contract numbers to the type of plan a customer has purchased. These packages of data, which can also feature verified bank account numbers and other information, are known in the cyber-underground as “fullz,” according to Security Week.
In 2013, hackers could get up to $500 for a fullz, depending on what was included — with health insurance credentials going for about $20 each with an additional $20 added whenever there is a dental, vision or chiropractic plan associated with the health plan. If sold as a package with custom manufactured or counterfeit physical documents, such as credit cards and driver’s licenses, the hackers refer to these as “kitz,” and score between $1,200 and $1,300 apiece, according to Dark Reading.
The FBI warned healthcare providers in April that their cybersecurity systems were lax compared to other sectors, making them vulnerable to hackers looking for details that could be used to access bank accounts or obtain prescriptions. CHS said prior to filing the regulatory document, the hacker’s malware was eradicated from its systems and it is notifying patients and regulatory agencies as required by law, according to Reuters.
Follow Elizabeth Kreft (@elizabethakreft) on Twitter