Community Health System said Monday that information belonging to patients in Arkansas was stolen when its systems were hacked and records of 4.5 million patients were compromised.
Some nonmedical identification data from patients of doctors affiliated with eight of the 10 CHS hospitals in Arkansas were taken, Tomi Galin, a senior vice president of corporate communications and marketing, said in an email Monday. The company is not revealing the number of affected patients by practice or market.
In Arkansas, CHS owns Northwest Health System, which operates Northwest Arkansas Medical Center in Bentonville, Northwest Arkansas Medical Center in Springdale and the Willow Creek Women's Hospital in Johnson; Sparks Health System, which includes Sparks Regional Medical Center in Fort Smith and Summit Medical Center in Van Buren; Siloam Springs Regional Hospital in Siloam Springs; Forrest City Medical Center in Forrest City; Harris Hospital in Newport; Helena Regional Medical Center in Helena-West Helena; and the Medical Center of South Arkansas in El Dorado.
Patient information from doctors affiliated with Sparks Regional Medical Center in Fort Smith and Summit Medical Center in Van Buren was not affected by the cyberattack.
The information was gathered over the past five years from patients who were referred to or who received care from doctors connected with the CHS hospitals. The hospitals themselves were not affected by the attack.
According to a Monday filing by CHS with the Securities and Exchange Commission, the China-based hackers used sophisticated malware and other technology to attack the company's computer network. Federal investigators told CHS that the target of attacks from this group is usually valuable intellectual property -- including data on medical devices and equipment development.
While the data breach did not include credit card, medical or clinical information, it did involve patient names, addresses, birth dates, and telephone and Social Security numbers, according to the filing. CHS said it would notify affected patients and will be offering them identity theft protection services.
Matt Drachenberg, director of special projects at data security firm HIPAA Risk Management in Fayetteville, said CHS will likely set up a call center in the next few days to help people with compromised information determine their vulnerability.
He said medical information is in many ways far more attractive to thieves than banking information from a debit or credit card. He said health care information is highly sensitive and it can be used for Medicare and Medicaid fraud.
"It's about 50 times more valuable," Drachenberg said.
In its filing, CHS said it believed the attack happened in April and June. The company has eradicated the malware and has taken measures to protect itself from further attacks of this type, according to the filing.
CHS has 206 hospitals across the U.S. In late January, Tennessee-based CHS finalized a deal acquiring Health Management Systems for $7.6 billion, making it one of the largest publicly traded hospital companies in the U.S.
Shares of CHS closed at $51.66, up 66 cents or 1.3 percent in trading Monday on the New York Stock Exchange. Shares have traded between $34.55 and $51.77 over the past year.
Business on 08/19/2014