Community Health Systems data breach affects 4.5M

Franklin-based hospital company Community Health Systems Inc. had a data breach that affected an estimated 4.5 million patients.

In a statement filed with the Securities and Exchange Commission, CHS reported a hacker in China bypassed the company's security measures, likely in April and June of 2014.

CHS, which worked with cyber security company Mandiant to help cope with the threat, said that the data affected in the breach was non-medical, but does include sensitive information such as patient names, addresses, birthdates, telephone numbers and Social Security numbers.

CHS says it will notify all affected patients and provide them with protection services. Affected patients should monitor their credit reports to make sure hackers aren't using their information, said Mark Burnette, a partner in local firm LBMC's security and risk service practice.

Concerned health system customers can also request a copy of the hospital's privacy policy to stay in the know, Burnette said.

Patients whose records have been hacked may also want to stay extra vigilant about fishy emails with suspicious attachments, said Tom Turner, an executive at BitSight Technology, which issued a 2014 cybersecurity report. The study highlights the health care industry as one of the worst at protecting against breaches.

"Any time you are offering any type of information you consider personal, private or sensitive, you have to be aware that the minute you provide it to a third party, you're reliant on them to protect it," said Burnette.

But at some point, people are going to need to access health care, regardless of the information security risk. "If you are in need of life saving medical care, you're not going to stop and say, 'Hey, before you start to operate, can you tell me if you're going to protect my information?'" Burnette said.

While the attack certainly generates negative publicity for the company, CHS says it has insurance for this type of problem. "While this matter may result in remediation expenses, regulatory inquiries, litigation and other liabilities," the SEC report said, "at this time, the Company does not believe this incident will have a material adverse effect on its business or financial results."

The breach is a relatively large one for the health care industry, according to BitSight's Turner, who added that CHS seems to be communicating about it appropriately.

Criminal attacks on health care companies have become common, according to a March 2014 report by data security research firm the Ponemon Institute, which said those types of hacks have risen 100 percent since the company completed the first study in 2010. Furthermore, the study said, about 90 percent of the facilities surveyed had experienced at least one data breach within the past year.

Health care companies of CHS' size may have a bigger challenge on their hands. "The larger a health care organization is, the more difficult it becomes to keep tabs on sensitive data," said Burnette. "There are so many places where that data is handled, processed and transmitted and there are so many more humans it comes in contact with."

CHS is the largest hospital company in the country, in terms of the number of hospitals. Out of CHS' 206 hospitals, 19 are in Tennessee.

Reach Shelley DuBois at 615-259-8241 and on Twitter @shelleydubois.