Spears Legal Technology


This blog is a resource guide for informational purposes only, and not the delivery of legal, technical or other professional advice. Using the information provided on this blog does not constitute an attorney-client relationship. If you need legal advice, please consult your lawyer.

Community Health Systems data breach affects 4.5M

Yesterday Community Health Systems filed a public report with the U.S. Securities and Exchange Commission (SEC) detailing a data breach that affects 4.5 million individuals. This is a serious breach, especially because Social Security numbers were stolen along with names and birth dates. Together, the three pieces of information are a jackpot for identity thieves because they cannot be changed as easily as a password or email address, and are often all that are needed to open a bank account or obtain a credit card.

In July 2014, Community Health Systems, Inc. (the “Company”) confirmed that its computer network was the target of an external, criminal cyber attack that the Company believes occurred in April and June, 2014. The Company and its forensic expert, Mandiant (a FireEye Company), believe the attacker was an “Advanced Persistent Threat” group originating from China who used highly sophisticated malware and technology to attack the Company’s systems. . .The Company has been informed by federal authorities and Mandiant that this intruder has typically sought valuable intellectual property, such as medical device and equipment development data. However, in this instance the data transferred was non-medical patient identification data related to the Company’s physician practice operations and affected approximately 4.5 million individuals who, in the last five years, were referred for or received services from physicians affiliated with the Company. The Company has confirmed that this data did not include patient credit card, medical or clinical information; the data is, however, considered protected under the Health Insurance Portability and Accountability Act (“HIPAA”) because it includes patient names, addresses, birthdates, telephone numbers and social security numbers.

With the current state of security in the healthcare industry I expect outside attacks on vulnerable providers and business associates will increase.

blog comments powered by Disqus