Medical records belonging to 4.5 million patients in the US have been breached as part of a three-month hacking spree believed to have originated in China.
Community Health Systems, a publicly traded company that runs more than 200 hospitals across the US, disclosed the security breach in a recent regulatory filing. The company is investigating the breach with the help of Mandiant, the cybersecurity firm that was acquired by FireEye earlier this year.
Mandiant specializes in Chinese cyberespionage, and last year released a report that suggested that the People’s Liberation Army’s “Unit 61398” was behind the security breaches of at least 141 organizations, the majority of them being based in the US. It believes that this particular attack originated from a Chinese hacking group known as “APT 18,” which it has been following for four years.
According to a report by the Washington Post on Tuesday, the stolen data in the Community Health Systems breach includes records for patients who have seen doctors from the company in the past five years, and included personal data including names, addresses, birth dates, telephone numbers and social security numbers.
The attack spanned from April and June this year, and Mandiant said that the Chinese hacking group behind the breach typically targets organizations in aerospace and defense, construction, healthcare and others.
Community Health said the stolen data didn’t include medical or clinical information, credit card numbers or any intellectual property.
There are a few theories as to why Chinese hackers, who are typically interested in intellectual property, would have stolen personal data. One of them, according to the Washington Post, is that employees of the government did it without the knowledge of their superiors in order to sell the information on the black market.
The healthcare industry is particularly susceptible to security breaches, the FBI said in April, since its regulations are fairly lax compared to other sectors. A report in May said that despite all the recent high-profile retail security breaches, the healthcare industry is actually more vulnerable to security threats. It is estimated that security breaches cost healthcare firms around $5.6 billion per year.
Indeed, HIPAA compliance and security are among the top concerns of healthcare organizations considering storing data in the cloud. Companies like Logicworks and Lumen21 are addressing these concerns by targeting healthcare organizations and offering specialty services.
Community Health is notifying patients and regulatory agencies about the breach, as required by law, Reuters said.