Community Hospital Systems (CHS), which operates just over 200 hospitals in 29 states, reported a data breach impacting about 4.5 million people on Monday. The incident, blamed on actors in China, was made public via an 8-K filing with the U.S. Securities and Exchange Commission.
The 8-K was brief and offered few details.
However, the report stated that CHS believes that the network compromise occurred in April and June of 2014. Once discovered, CHS hired Mandiant (a FireEye Company), who speculated that the attacker was part of a group in China. How the attacker was able to plant the undisclosed malware onto the CHS network was not disclosed in the 8-K filing.
"The attacker was able to bypass [CHS'] security measures and successfully copy and transfer certain data outside [CHS]," the 8-K explained.
Law enforcement added to that profile, telling CHS that the intruder has typically sought valuable IP, such as device and equipment data.
"However, in this instance the data transferred was non-medical patient identification data related to [CHS'] physician practice operations and affected approximately 4.5 million individuals who, in the last five years, were referred for or received services from physicians affiliated with [CHS]," the 8-K continued.
Because the compromised information is governed under HIPAA, as it included names, addresses, dates of birth, phone numbers, and Social Security Numbers.
CHS has begun the process of notifying everyone affected by the breach and offer ID protection services.
Towards the end of the SEC filing, CHS stated that - despite the large number of records and potential source of attack - they don't believe this incident will have a large impact on their business.
"[CHS] carries cyber/privacy liability insurance to protect it against certain losses related to matters of this nature. While this matter may result in remediation expenses, regulatory inquiries, litigation and other liabilities, at this time, the Company does not believe this incident will have a material adverse effect on its business or financial results."
A copy of the 8-K filing is available online.