Breach alert: Hackers swipe data of 4.5M
Hackers 'used highly sophisticated malware and technology' to exploit Heartbleed flaw
In the second biggest HIPAA breach ever reported, one of the nation's largest healthcare systems has notified some 4.5 million of its patients that their personal information has been stolen by cybercriminals.
The Franklin, Tenn.-based Community Health Systems, which operates 206 hospitals across 29 states, in an Aug. 18 federal security filing, reported that hackers were able to gain access to CHS' systems throughout April and June 2014. The hacking group, which officials say originated from China, "used highly sophisticated malware and technology," the report stipulated.
"The attacker was able to bypass the Company's security measures and successfully copy and transfer certain data outside," company officials wrote in the filing. This is the largest hacking-related HIPAA data breach that has ever been reported, according to data from the Office for Civil Rights.
According to information security firm TrustedSec, the Chinese hacker group, carried out by Chinese Advanced Persistent Threat, exploited CVE-2014-0160, also known as the Heartbleed vulnerability. Only on Aug. 19 did the Federal Bureau of Investigation issue an alert to healthcare organizations that may be susceptible to an attack. The alert was not specific to Chinese hacking group.
Social Security numbers, patient names, addresses, dates of birth and telephone numbers of 4.5 million people were accessed by the attackers.
Following an internal investigation, Community Health Systems has learned that the hacker group typically goes after intellectual property, including medical device and equipment development data.
Nearly 3.9 million people have had their protected health information compromised in hacking related HIPAA breaches, according to OCR data, excluding what transpired at CHS. And in the last four years, criminal data attacks on the healthcare industry have skyrocketed 100 percent. To date, more than 33.8 million people have had their PHI compromised in HIPAA breaches.
Just this February, the five-hospital St. Joseph Health System in Texas, notified some 405,000 of its patients their data had been compromised following a three-day long data security attack.
"We're learning through experience and what we see happening out there, that more and more of the focus of breaches and attempts to get into systems is being turned toward healthcare," said Ed Marx, CIO at Texas Health Resources, in an interview with Healthcare IT News earlier this month. "As opposed to in the past, it may have been strictly retail."
[See also: What scares security officers the most.]
Speaking at the Healthcare IT News Privacy and Security Forum earlier this year, Jim Doggett, chief security officer and chief technology risk officer at the 38-hospital Kaiser Permanente, seemed to agree.
"Cybercriminal is an industry," he said. "It's well funded; it's well organized. They're patient, and they make money."
