The US hospital network Community Health Systems confirmed in an SEC regulatory filing Monday that its computer network was the target of an external, criminal cyberattack.
The breach, which is believed to have originated from a Chinese hacker ring, resulted in stolen personal data from nearly 4.5 million patients who were treated within the hospital chain over the last five years.
In the filing, the hospital company said the attacker was an Advanced Persistant Threat group using highly sophisticated malware to gain entry into its computer network.
The attacker copied and transferred non-medical patient identification data that is protected under the Health Insurance Portability and Accountability Act, such as patient names, addresses, birthdates, telephone numbers and social security numbers.
Community Health Systems stressed that no patient credit card data was stolen, nor were any clinical or medical records. The attackers also failed to retrieve any sensitive intellectual property data, which is what the hospital company said this particular hacker ring typically goes after.
Since learning of the attack, the hospital chain said it's been working both with federal law enforcement authorities and the forensic security company Mandiant, with the latter helping the company work through remediation efforts and eradicate the malware from its system.
The healthcare industry has frequently been criticized for poor security practices in recent months. In April, the FBI issued a warning to healthcare providers regarding potential security weaknesses, and several security reports have highlighted the same threats.
According to a recent report from BitSight Technologies, healthcare and pharmaceutical companies have the lowest security performances when compared to the finance, utility and retail sectors. Given the lasting repercussions from Target's security debacle, that's saying something.