The Franklin, Tenn.-based Community Health Systems, Inc. has said that the personal data of approximately 4.5 million patients was stolen by hackers from its computer network in April and June.
According to a story in Reuters, the company said the data, considered protected under the Health Insurance Portability and Accountability Act (HIPAA), included patient names, addresses, birth dates, telephone numbers and Social Security numbers. It did not include patient credit card or medical information, however. The breach was reported by the organization in a Securities and Exchange Commission (SEC) filing.
It further said the security breach had affected about 4.5 million people who were referred for or received services from doctors affiliated with the hospital group in the last five years. The company said it is notifying affected patients and regulatory agencies as required by law.
The rural hospital operator and cybersecurity firm Mandiant believe the attacker was an "Advanced Persistent Threat" group originating from China, according to a Wall Street Journal report. The attacker, who used highly sophisticated malware and technology to attack the company's systems, was able to bypass Community Health Systems' security measures and to successfully copy and transfer certain data outside the company, it said.
Community Health Systems is one of the nation’s largest operators of general acute care hospitals. It includes 206 affiliated hospitals in 29 states.