Community Health Systems Inc, one of the largest hospital groups in the US, has announced that it was the victim in a cyber attack resulting in the theft of 4.5 million patients’ records.
In a filing, the company revealed that the stolen information included patient names, telephone numbers, addresses and social security numbers.
The hackers were not able to obtain credit card numbers, medical or clinical information, or any intellectual property like data on medical device development.
Security experts believe that the hacking group, which is dubbed “APT 18”, might be connected to the Chinese government.
According to Charles Carmakal, managing director of FireEye Inc’s forensics unit, APT 18 usually targets firms in the defence and aerospace, engineering and construction, financial services, technology and healthcare industries.
He revealed that the group “have fairly advanced techniques for breaking into organizations as well as maintaining access for fairly long periods of times without getting detected.”
Patients whose data was stolen will be notified by Community Health Systems. However, it is unclear who will be sent notifications because there is no federal data breach law that requires notifications, only a patchwork of various state regulations, explained CNN in its report.
Patients who receive a notification or find out that their data was stolen could potentially sue the firm because the data is protected by the Health Insurance Portability and Accountability Act (HIPAA).
Moreover, the FBI has confirmed to Reuters that it is investigating the case, which is the biggest attack of its kind involving patient data. The previous record involved an attack on the server of the Montana Department of Public Health and affected around one million patients.