Community Health Systems confirmed this week that it suffered a major hack by a group of cyber-criminals apparently operating out of China.
CHS, the 2nd-largest for-profit hospital chain in the U.S., said that the hacker obtained names, social security numbers, birth dates, telephone numbers and addresses. The theft didn’t include credit card, medical or clinical information.
"The Company and its forensic expert, Mandiant (a FireEye Company), believe the attacker was an "Advanced Persistent Threat" group originating from China who used highly sophisticated malware and technology to attack the Company’s systems," according to a CHS regulatory filing. "The attacker was able to bypass the Company’s security measures and successfully copy and transfer certain data outside the Company."
Read more of MassDevice.com’s coverage of medical device cybersecurity and hacking.
CHS noted that it’s working with federal agents to investigate and possibly prosecute the hackers involved, and that the company is providing identity protection services to the patients affected by the hack. CHS added that it had also finally cleared its system of all malware and upgraded its security system just prior to reporting the incident in its regulatory filings.
The incident appears to be something of an anomaly since the hackers didn’t snag any medical data, which is worth far more on the internet’s black markets than credit card information. The group involved is also more typically associated with thefts of "valuable intellectual property, such as medical device and equipment development data."
"We have tracked this group for the past 4 years and internally refer to them as APT 18," Mandiant managing director Charles Carmakal told Bloomberg. "This group typically targets companies in the aerospace and defense, construction and engineering, technology, financial services, and health-care industry verticals."
The same group was tied to an 2013 hack of the U.S. Energy Department.