Chinese Hackers Stole Information On 4.5 Million U.S. Hospital Patients
Community Health Systems operates 206 hospitals in 29 states, with a particularly large presence in the Southwest, reports Re/Code's Arik Hesseldahl, who broke the news on this attack.
The hackers were tracked to China, the hospital says.
While the hackers didn't get any credit card info, they did get patient names, addresses, birth dates, telephone numbers and social security numbers, the hospital revealed.
The hospital says the hack was something called an "advanced persistent threat" (APT) which is when hackers go after a target deliberately, using all kinds of methods to break in, sometimes spending months or longer on the attack. That's different from something called a "drive-by attack" which is the kind of malware that works randomly, when you visit an infected website or open an infected email.
APT is a very difficult kind of hack to stop so the company hired a security firm famous for protecting against this kind of threat, Mandiant. It also worked with federal law enforcement, it said.
Mandiant came to fame when it revealed research on a Chinese military cyberwar unit accused of attacking the networks of over 100 companies looking for trade secrets. China has officially denied these accusations, but Mandiant's research was taken seriously by the U.S. Department of Justice. In May, the DoJ indicted five Chinese military hackers for breaking into U.S. corporations in the energy industry.
While the disclosure of a hack affecting 4.5 million patents is not good for Community Health Systems or its patients, it is something of a much-needed PR coup for security company FireEye. FireEye acquired Mandiant for $1 billion in January and shortly after that, investors went wild for the company, driving its stock up to over $97 by March. FireEye had only launched as a public company in a few months earlier, in September, 2013.
But when FireEye warned investors that it wouldn't grow as fast as it had hoped, the stock crashed big time and is now trading at about $30.
In the meantime, if you've been to a hospital in the past couple of months, you might want to double-check if it was one in the Community Health System network. And then you would be wise to watch for signs of identity theft.