By Jim Finkle and Caroline Humer (Reuters) - Community Health Systems Inc (N:CYH), one of the biggest U.S. hospital groups, said on Monday it was the victim of a cyber attack from China, resulting in the theft of Social Security numbers and other personal data belonging to 4.5 million patients.
That would make the attack the largest of its type involving patient information since a U.S. Department of Health and Human Services website started tracking such breaches in 2009. The previous record, an attack on a Montana Department of Public Health server, was disclosed in June and affected about 1 million people.
The attackers appear to be from a sophisticated hacking group in China that has breached other major U.S. companies across several industries, said Charles Carmakal, managing director with FireEye Inc's (O:FEYE) Mandiant forensics unit, which led the investigation of the attack on Community Health in April and June.
"They have fairly advanced techniques for breaking into organizations as well as maintaining access for fairly long periods of times without getting detected," he said.
Carmakal and officials with Community Health Systems declined to name the group or say if it was linked to the Chinese government, which U.S. businesses and officials have long accused of orchestrating cyber espionage campaigns around the globe.
In May, a U.S. grand jury indicted five Chinese military officers on charges they hacked into U.S. companies for sensitive manufacturing secrets, the toughest action to date taken by Washington to address cyber spying. China has denied the charges.
FBI spokesman Joshua Campbell said his agency was investigating the case, but declined to elaborate.
The Department of Homeland Security said it believed the incident was isolated to Community Health Systems, although it shared technical details about the attack with other healthcare providers.
An agency official told Reuters it was too soon to confirm who was behind the attack.
"While attribution of this incident is still being determined by a range of partners, we caution against leaping to premature conclusions about who or how many actors are behind these activities," said the official, who was not authorized to discuss the investigation publicly.
The stolen information included patient names, addresses, birth dates, telephone numbers and Social Security numbers of people who were referred or received services from doctors affiliated with the hospital group in the last five years, the company said in a regulatory filing. It did not include medical or clinical information.
NEW SCRUTINY
Cybersecurity has come under increased scrutiny at healthcare providers this year, both by law enforcement and attackers.
The FBI warned the industry in April that its protections were lax compared with other sectors, making it vulnerable to hackers looking for details that could be used to access bank accounts or obtain prescriptions.
Over the past six months Mandiant has seen a spike in cyber attacks on healthcare providers, although this was the first case it had seen in which a sophisticated Chinese group has stolen personal data, according to Carmakal.
Chinese hacking groups are known for seeking out intellectual property such as product design or information that might be of use in business or political negotiations.
Social Security numbers and other personal data are typically stolen by cybercriminals to sell on underground exchanges for use by others in identity theft.
"It's hard to tell why these guys took the data or what they plan to do with it," said Carmakal, whose firm monitors about 20 hacking groups in China.
Dmitri Alperovitch, chief technology officer with cybersecurity firm CrowdStrike, said Chinese hackers sometimes attack healthcare providers to obtain medical records of government officials and even potential intelligence assets.
"Maybe they were trying to get at the medical data, but for some reason they couldn't, so they exfiltrated everything else, figuring that it might somehow be helpful," Alperovitch said.
The company said the stolen data did not include credit card numbers, or any intellectual property such as data on medical device development.
Community Health, which has 206 hospitals in 29 states, said it has removed malicious software used by the attackers from its systems and completed other remediation steps. It is now notifying patients and regulatory agencies, as required by law.
It also said it is insured against such losses and does not at this time expect a material adverse effect on financial results.
Community Health's stock was up 62 cents at $51.62 in midday trading on the New York Stock Exchange.
(Reporting by Caroline Humer, Jim Finkle and Shailesh Kuber; Editing by Joyjeet Das, Lisa Von Ahn, Chizu Nomiyama, Dan Grebler and Andre Grenon)