Hacks Breach Hospital Chain’s PHI Data
What is believed to be Chinese hackers seeking intellectual property instead hacked non-medical identification data of 4.5 million patients visiting physicians associated with Community Health Systems hospitals, the chain said in an SEC statement. The chain, which boasts affiliation with 206 hospitals in 29 states, says it believes the hackers were looking for medical device and equipment development data.
The company says personal health information (PHI) data stolen included patients’ names, Social Security numbers, physical addresses, birthdays, and telephone numbers.They did not steal information related to patients’ medical histories, clinical operations, or credit cards, and the FBI says it is working with Community Health Systems to identify the hackers and protect the data.
As a HIPAA violation, the company said in its SEC statement, the offending malware has been eliminated from its computer systems. It plans to offer identity theft protection to the 4.5 million victims of the breach.
Hacks of PHI comprise less than 10 percent of breaches reported to the federal Office for Civil Rights at the Department of Health & Human Services, but they can be significant and costly. In 2012, the Utah Department of Technology Services’ servers were breached, exposing three quarters of a million records of Utah Medicaid and Children’s Health Insurance program beneficiaries; the Salt Lake Tribune reported the state paid $3.4 million directly and forced another $5.6 million of improvements to prohibit another breach.