Community Health Systems revealed in a Securities and Exchange Commission regulatory filing yesterday that, between April and June 2014, over 4.5 million records were accessed by a group of Chinese hackers. Based in Franklin, Tennessee, Community Health Systems is one of the largest hospital systems in the United States, with over 206 hospitals spanning 29 states.

Community Health said “the stolen data did not include medical or clinical information, credit card numbers, or any intellectual property such as data on medical device development.” Rather, data such as names, Social Security numbers, birth dates, and telephone numbers were compromised.

Despite the fact that no medical information was reported to be accessed or stolen, the compromised information is still classified as Protected Health Information (PHI). As such, under the HIPAA Breach Notification Rule, Community Health is required to notify all affected patients and the Secretary of Health & Human Services and because the breach impacts over 500 patients, they were also required to notify the media.

This cyber-attack should come as no surprise, following a warning by the FBI to healthcare providers earlier this year. A memo distributed on April 8th, 2014, stated, “the healthcare industry is not as resilient to cyber intrusions compared to financial and retail sectors, therefore the possibilities of increased cyber intrusions is likely.”

According to Dell SecureWorks, health insurance credentials are sold on the black market for around $20 each, significantly higher than the estimated $1-2 per credit card. Some of the information included in a $20 profile might include a name, spouse’s name, children’s names, date of birth, address, contract number, group number, type of plan, and insurer contact information for filing claims.

While many people think that their PHI is of no interest to hackers, it may very well be if they’ve had anything else like a credit card or driver’s license stolen. An entire package of stolen identity data, referred to as “kitz”, go for over $1,200, and include additional stolen information such as SSN, bank account numbers, driver’s license number, email credentials, and sometimes even high-quality counterfeit physical documents.

This news bit helps spotlight the importance of protecting information systems at healthcare organizations. As highlighted by the FBI, even the healthcare organizations in full compliance with HIPAA and HITECH may be vulnerable to cyber-attacks that can result in breached PHI. Solve Healthcare provides auditing, information technology infrastructure and support to ensure your organization remains protected from a breach.

Source: Reuters