If you’ve been to a hospital in a small town or anywhere in the southeastern portion of the United States in the last few years, it’s worth keeping an eye on your personal information.
Community Health Systems, which operates 206 hospitals in 29 states, most of them in rural communities, said today that it suffered a data breach affecting the personal information of some 4.5 million patients.
In a regulatory filing with the U.S. Securities and Exchange Commission, the hospital company said it was attacked during April and June of this year by an “Advanced Persistent Threat” group believed to be operating out of China.
It’s not clear what the purpose of this attack may have been, though Community Health says the only thing it knows was stolen was “non-medical patient identification data related to the Company’s physician practice operations and affected approximately 4.5 million individuals who, in the last five years, were referred for or received services from physicians affiliated with the Company.”
The phrase “Advanced Persistent Threat” is noteworthy because it was first used last year by the security firm Mandiant to describe a unit of the Chinese Army that has been accused of attacking the networks of scores of American, Canadian and British companies, dating as far back as 2006. The group’s operations were documented in excruciating detail in a landmark report.
Once it detected the attack, Community Health said it hired Mandiant, a unit of the security company FireEye, to investigate the incident. It’s unclear if Mandiant thinks this incident is the work of the same Chinese Army group that carried out the attack, or if it’s another group in China using similar tactics. The firm did not return calls seeking comment.
Mandiant’s report last year documented the operations of Unit 61398, a military cyberwar unit that stands accused of attacking the networks of at least 141 companies or organizations. On average, the hackers would spend nearly a year perusing a targeted company’s systems looking for sensitive information to steal: Product development plans, manufacturing techniques, business plans and the email messages of senior executives. The point is to help Chinese companies be more competitive.
China has officially denied the accusations, but the report was so detailed that the U.S. Department of Justice secured criminal indictments on five members of Unit 61398 which in turn poured new fuel on a diplomatic fire burning between the U.S. and China over the issue of cyber warfare.
For reference, here’s a map showing the location of Community Health’s hospitals around the U.S., which you can drill down on here. If you’ve been a patient at any of its hospitals in the last five years, you may be hearing from the company in the coming days.
Paul Balo is the founder of TechBooky and a highly skilled wireless communications professional with a strong background in cloud computing, offering extensive experience in designing, implementing, and managing wireless communication systems.
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behaviour or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
