Computer hackers in China hit area hospitals, steal patient data

Computer hackers traced to China stole personal data belonging to 4.5 million patients who used hospitals owned by Community Health Systems, which includes 20 hospitals in Pennsylvania and one in South Jersey.

The stolen information included patient names, addresses, birth dates, and telephone and Social Security numbers, but not credit card or medical information, according to a report filed with the federal government by Community Health.

"The company is providing appropriate notification to affected patients and regulatory agencies as required by law," the report said. Community Health is also providing identity-theft protection services for patients affected by the attack.

Community Health, based in Tennessee, is one of the nation's largest hospital organizations, with 206 hospitals in 29 states, including Chestnut Hill and Phoenixville Hospitals, Brandywine Hospital in Coatesville, Pottstown Memorial Medical Center, and Jennersville Regional Hospital in West Grove.

The attack is believed to be the second-largest of its type involving patient information since 2009, when the U.S. Department of Health and Human Services began tracking such breaches. The largest, in 2011, affected 4.9 million individuals.

Chestnut Hill Hospital chief executive officer John Cacciamani said he had been deluged with calls about the breach.

"I've been talking to people constantly," he said. "Not only have we fixed the [security] gap, but we are adding new security to a whole host of our systems to get us to the Fort Knox level."

Although company and other hospital officials could not immediately be reached for comment, the report to the government provides details.

The breach apparently occurred in April and June. The company hired a corporate forensic expert, Mandiant, which believes the hackers, based in China, used sophisticated malware to bypass security measures.

The hackers typically seek "valuable intellectual property, such as medical device and equipment development data. However, in this instance the data was nonmedical patient data."

The affected patients were treated over the last five years by physicians affiliated with Community Health hospitals.

In the past year, the FBI and other law enforcement agencies have seen a spike in international cyber attacks on large corporations - notably the Christmas season attack on Target stores that netted data from the credit and debit cards of 40 million shoppers - raising questions about the adequacy of security systems.

Community Health carries cyber/privacy liability insurance to protect it against losses related to security breaches, but its filing said the attack "may result in remediation expenses, regulatory inquiries, litigation and other liabilities."

The company's other Pennsylvania hospitals are: Berwick Hospital Center, Carlisle Regional Medical Center, Easton Hospital, First Hospital Wyoming Valley in Kingston, Heart of Lancaster Regional Medical Center in Lititz, Lancaster Regional Medical Center, Lock Haven Hospital, Memorial Hospital in York, Moses Taylor Hospital in Scranton, Regional Hospital of Scranton, Sharon Regional Health System, Special Care Hospital in Nanticoke, Sunbury Community Hospital, Tyler Memorial Hospital in Tunkhannock, and Wilkes-Barre General Hospital.

In New Jersey, the company has Memorial Hospital of Salem County.