A major U.S. hospital operator said Monday that it was the victim of a cyber-attack resulting in the theft of 4.5 million patient's personal data, Agence France-Presse reported. Likely from China, the hackers broke into its systems and stole identification data.
Community Health Systems claims the attack happened in April and June this year using "highly sophisticated malware and technology" to bypass its data security protection.
Working with computer security experts, the company discovered information to conclude that the attackers were a group originating from China which works steadily to gain access to a target's systems in order to steal data, including patient names, addresses, birthdates, telephone numbers and social security numbers, rather than cause damage to the systems.
The firm, which runs 206 hospitals in 29 states, is now in the process of notifying affected patients and offering them theft-protection services, BBC News reported. However, the hackers did not obtain medical information on patients or any credit card data.
Lamar Bailey, director of security research and development at cybersecurity firm Tripwire, said the fact medical records and credit card details were not stolen will be of little comfort to those affected.
"When financial data is stolen, such as when credit card numbers are stolen from retailers, the retailer and card issuers are hit with the fraudulent charges and the costs for generating new cards," he said. "But when personal information is stolen - name, address, phone number, birthdates, and social security number - it impacts the person and not a company."
"This is the information needed for identity theft to allow criminals to open accounts in the names of the 4.5 million victims."
News of the attack follows several warnings, from both law enforcement and security experts, that medical equipment is at risk from hack attacks due to poor security measures.
"Community Health Systems said security group Mandiant, part of FireEye, advised the company that the techniques used were similar to those used by a well-known Chinese hacking group," BBC News reported. "However, both Community Health Systems and Mandiant declined to elaborate on the identity of the group - nor would they say whether they believed the hackers were working on behalf of the Chinese government."
But security experts believe the hacking group, known as "APT 18," may have links to the Chinese government, Reuters reported.
"APT 18" typically targets companies in the aerospace and defense, construction and engineering, technology, financial services and healthcare industry, said Charles Carmakal, managing director with FireEye Inc's (FEYE.O) Mandiant forensics unit, which led the investigation of the attack on Community Health. "They have fairly advanced techniques for breaking into organizations as well as maintaining access for fairly long periods of times without getting detected," he said.
Although this was the first case that Mandiant had seen in which a sophisticated Chinese group has stolen personal data, it has witnessed a spike in cyber attacks on healthcare providers over the past six months, according to Carmakal.