The latest Cyber Security breach currently under investigation was filed with the SEC by Community Health Systems, a Tennessee-based health company with over 200 hospitals in 29 states. The breach was detected in July and is said to have impacted 4.5 million individuals’ patient data.
Community Health revealed that the attacker was an Advanced Persistent Threat group based out of China and gained access to names, addresses, birth dates, phone numbers and social security number for patients that had been referred for or treated for services by affiliated physicians in the last 5 years.
The breach was said to be caused by highly sophisticated malware and phishing tools to bypass Community Health’s security measures and successfully copy and transfer data to a server outside of the network. While the attackers have a history of stealing medical-device blue prints and prescription-drug formulas, this is the first time they have targeted personal info with little relative value.
However, the information remains HIPAA protected, meaning the company is inclined to notify patients of the breach. Community Health has confirmed it will provide identify theft protection to those affected, as well as already carrying cyber insurance to cover any losses.
HIPAA Breaches To Date
The attack takes the current toll of individuals affected in breaches of more than 500 patients to almost 6 million in 2014 alone. Last year, 25,000 Americans had protected health information exposed per day, according to the HHS. The extent of this exposure and security risk is down to providers failing to recognize the importance behind cyber security, specifically hospital networks.
“Hospitals are arguably one of the hardest network environments to secure; their primary focus is on protecting and improving human life, and this often eclipses all other priorities” stated Trey Ford, Security Strategist at Rapid 7, when asked about the vulnerability across hospitals and physician offices.
Furthermore, the sharp increase in recent attacks is putting considerable pressure on HIPAA to include more cyber security provisions and greater incentives for providers to implement stronger security measures.