Did you miss a session from the Future of Work Summit? Head over to our Future of Work Summit on-demand library to stream.

Last week’s data breach at Community Health Systems, in which data from 5.4 million patients was lost, could end up costing the health system between $75 million and $150 million, according to Forbes digital health columnist Dan Munro.

The CHS hackers, now known as APT 18, used the computer bug Heartbleed to access VPN log-in credentials, experts have told VentureBeat.

Related: The Chinese government has a clear motive to steal U.S. health data

CHS said in a filing that no clinical data was taken in the theft but that Social Security numbers (the holy grail for identity thieves) were lost, along with an array of personal information that included patient names, addresses and phone numbers.

All of that information is covered by HIPAA privacy laws. And this comes just a few months after an attorney for the Office for Civil Rights (the Health and Human Services office charged with monitoring HIPAA compliance) said that the agency would be more aggressive this year about cracking down on privacy violations.

A group in Alabama has already filed a class action lawsuit against CHS. The Southern state is one of the 29 with CHS hospitals.

Fierce Health points out that the OCR has levied nine fines totaling more than $10 million since June 1, 2013. That includes a record $4.8 million fine announced in May against New York-Presbyterian Hospital and Columbia University.

Munro bases his cost estimate of the CHS breach on the following factors:

  1. Remediation (technical, legal and administrative)
  2. OCR fines associated with HIPAA violations
  3. Identity theft protection or credit monitoring for patients
  4. Defending against both patient and shareholder lawsuits and settlements
  5. The incalculable cost of potential insurance fraud stemming from 4.5 million exposed Social Security numbers

Two years ago, Blue Cross Blue Shield of Tennessee lost about a million records and incurred losses of an estimated $17 million as a result.

Part of that was a $7 million bill for improved security systems. CHS, security experts point out, used a lot of open-source or free security, and it could have to invest millions to upgrade to more sophisticated systems.


VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative technology and transact. Our site delivers essential information on data technologies and strategies to guide you as you lead your organizations. We invite you to become a member of our community, to access:
  • up-to-date information on the subjects of interest to you
  • our newsletters
  • gated thought-leader content and discounted access to our prized events, such as Transform 2021: Learn More
  • networking features, and more
Become a member