FRANKLIN, Tenn. (AP/ WANE) — Hospital operator Community Health Systems said a cyberattack took information on more than 4 million patients from its computer network earlier this year. Community Health Systems owns Lutheran Health Network.
The Franklin, Tennessee, company said Monday that no medical or credit card records were taken in the attack, which may have happened in April and June. But Community said the attack did bypass its security systems to take patient names, addresses, birthdates, and phone and Social Security numbers.
The hospital operator said it believes the attack came from a group in China that used sophisticated malware and technology to get the information. Community Health has since removed the malware from its system and finalized “other remediation efforts” to prevent future attacks.
A spokeswoman did not immediately respond to a request from The Associated Press seeking comment on the attacks.
However, Lutheran Health Network Vice President Alice Robinson did release the following statement to NewsChannel 15:
Limited personal identification data belonging to some patients who were seen at physician practices and clinics affiliated with Lutheran Health Network over the past five years was transferred out of our organization in a criminal cyber-attack by a foreign-based intruder. The transferred information did not include any medical information or credit card information, but it did include names, addresses, birthdates, telephone numbers and social security numbers.
We take very seriously the security and confidentiality of private patient information and we sincerely regret any concern or inconvenience to patients. Though we have no reason to believe that this data would ever be used, all affected patients are being notified by letter and offered free identity theft protection.
Our organization believes the intruder was a foreign-based group out of China that was likely looking for intellectual property. The intruder used highly sophisticated methods to bypass security systems. The intruder has been eradicated and applications have been deployed to protect against future attacks. We are working with federal law enforcement authorities in their investigation and will support prosecution of those responsible for this attack.
Many American companies and organizations have been victimized by foreign-based cyber intrusions. It is up to the Federal Government to create a national cyber defense that can prevent this type of criminal invasion from happening in the future.
The information that was taken came from patients who were referred to or received care from doctors tied to the company over the past five years.
Community Health Systems Inc. is notifying patients affected by the attack and offering them identity theft protection services. The company owns, leases or operates 206 hospitals in 29 states.
The attack follows other high-profile data security problems that have hit retailers like the e-commerce site eBay and Target Corp. Last year, hackers stole from Target about 40 million debit and credit card numbers and personal information for 70 million people.
Shares of Community Health climbed 38 cents to $51.38 late Monday morning, while broader trading indexes also rose less than 1 percent.
Copyright 2014 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.