Community Health Systems says that hackers may have accessed data from as many as 4.5 million patients, according to a filing with the Securities and Exchange Commission.
The health organization operates 206 hospitals in 29 states.
The attack happened between April and June of this year and is believed to be the work of a hacker group in China. The group is thought to use advanced persistent threat technology, a continuous series of hacking processes. The advanced malware was able to penetrate Community Health networks and successfully transfer data out.
All the information that was siphoned out of Community Health databases was non medical, though it did include “patient names, addresses, birthdates, telephone numbers and social security numbers,” according to the filing. It mostly related to hospital operations and patients who received a referral for services.
The health care provider hired cybersecurity firm Mandiant (a subsidiary of FireEye) to get rid of the attacker and prevent against future attacks. The company is also working with federal law enforcement.
As Recode notes, perhaps most interesting is the parallel between the attack on Community Health and the work of a Chinese military hacking group that Mandiant reported on last year. The unit, called 61398, also uses advanced persistent threat tech and may have staged at least 141 attacks inside the U.S and Canada of a similar nature.
In that case, hackers were taking information related to product and business development, as well as email exchanges between business executives — any information that would help Chinese companies gain a competitive edge over American companies.
The Mandiant report led the U.S. Department of Justice to criminally indict five members of China’s 61398 team. As of yet, it’s uncertain whether this recent rash of attacks on Community Health Systems is related.