YOUNGSTOWN, Ohio (WKBN) – Community Health Systems, the operator of three area hospitals, revealed in a government report Monday that a July security breach compromised patient information, including names, phone numbers and Social Security numbers.
CHS said they believed the attacker to be a group out of China using sophisticated technology to steal valuable information about approximately 4.5 million people, according to the document, filed with the U.S. Securities and Exchange Commission.
CHS operates Trumbull Memorial Hospital and Hillside Rehabilitation Hospital in Warren, Northside Medical Center in Youngstown, which are collectively known as ValleyCare Health System, and Affinity Medical Center in Massillon. It operates 206 hospitals in 29 states nationwide.
The company has been working with federal law enforcement and its security firm, Mandiant, to investigate the breach and said that the malware which caused the data to be leaked has been eliminated.
Federal authorities and Mandiant told CHS that the group has sought data on medical devices and equipment development in the past, but that in this case, the information was non-medical patient identification data.
The 4.5 million people affected are patients served by or referred to CHS.
CHS said the data did not include patient credit card, medical or clinical information but did include patient names, addresses, birth dates, telephone numbers and Social Security numbers.
The company is notifying affected patients and regulatory agencies as required by federal and state law and will be offering identity theft protection services to individuals affected by the attack even though they do not think the information will be used.
CHS said in the document that the incident would not have a negative material effect on its business or financial results but may result in remediation expenses, regulatory inquiries, litigation and other liabilities.
“We take very seriously the security and confidentiality of private patient information and we sincerely regret any concern or inconvenience to patients,” a media statement from ValleyCare Health System said. “Though we have no reason to believe that this data would ever be used, all affected patients are being notified by letter and offered free identity theft protection.”
Warren Police Sgt Geoff Fusco said malware attacks are common and most times occur by accident.
“Someone opening an email not knowing where it is from, after reading from the email, they will download a link and then when they click on the link, it will install the malware. Always read it and if it is something you don’t know, just delete it,” Fusco said. “Sometimes they will try to call you or they will email you and get a scam going, saying ‘hey, we are with the FBI’ or ‘we are with the IRS’ and they will try to use some of that information. If you don’t call somebody, don’t give them any more information. Don’t trust anybody.”
Community Health Systems will be offering those individuals who are affected by the cyber attack identity theft protection services.
Last year, federal agents notified more than 3,000 U.S. companies that their computer systems had been hacked. Fusco said people can protect their personal information by changing their password every 90 days.