News Feature | August 26, 2014

CHS Starts Notification Process Following Huge Breach

Christine Kern

By Christine Kern, contributing writer

CHS Data Breach

A China-based hacking group stole Social Security information, as well as names, dates of births, and addresses in one of the largest healthcare breaches ever.

Community Health Systems, victim of a massive breach of protected health information, will formally notify the HHS Office for Civil Rights and media outlets, as well as begin the patient notification process a spokesperson told Health Data Management.

The 206-hospital organization disclosed the breach August 18 in a filing with the Securities and Exchange Commission, since the hacking of ambulatory patient data including Social Security numbers for 4.5 million patients is a “material event” that publicly held companies must immediately report.

Investigators say a China-based hacking group is to blame for the data breach. The stolen data included Social Security Numbers, names, dates of birth, addresses, and contact information. However, no credit card numbers or medical records were stolen in the attacks which took place in April and June.

CHS and Mandiant, which was commissioned in June to conduct the forensic investigation, "believe the attacker was an 'Advanced Persistent Threat' group originating from China who used highly sophisticated malware and technology to attack the Company’s systems," according to a regulatory report the CHS filed with the Securities and Exchange Commission today.

The attack methods are characteristic of a particular APT group, but the type of information stolen –personal identity information – is a departure from the norm for the group, which "has typically sought valuable intellectual property, such as medical device and equipment development data," according to the filing. The name of the suspected group has not been revealed and the investigation is ongoing.

Although many healthcare organizations are vulnerable to data breaches, they are frustrated because they would like to better secure data but do not have the resources. Despite lack of funds, there still are ways to boost security.

One way is to take a closer look at SSNs, because as long as they are in information systems, healthcare organizations will continue to be targeted –  and many of them don’t need the SSN, suggests Linn Freedman, a partner and information security specialist in the Nixon Peabody law firm in Providence, RI. Those who need it should encrypt the number at rest or mask most of the number, such as using only the last four digits.

The CHS hacking is the second largest breach since HHS/OCR began tracking such incidents in late 2009. In September 2011, backup tapes containing PHI on 4.9 million individuals from the military Tricare health insurance program were stolen along with other items from the car of an employee of contractor SAIC.

On its public website of major breaches, HHS/OCR lists at least 89 incidents of hacking that affected 500 or more patients with an increasing number throughout 2013 and 2014. The CHS breach will be by far the largest hacking event involving protected health information. Other major PHI hacks – the largest occurring at government agencies – include Montana Department of Public Health and Human Services (1,062, 509 affected individuals); Utah Department of Health (780,000); Puerto Rico Department of Health (475,000); St. Joseph Health System in Texas (405,000); UW Medicine in Washington (76,183); and L.A. Gay & Lesbian Center (59,000).