Hackers compromised the protected health information of 4.5 million patients of Franklin, Tennessee-based Community Health Systems, Inc. in April and June of this year, the 206-hospital health system spanning 29 states reported. The hospital system — along with cybersecurity firm Mandiant Corp. — believes a group from China used sophisticated malware and technology to breach the Community’s IT network.
The hackers were able to copy and transfer data that included patient names, addresses, birthdates, telephone numbers and social security numbers, but not credit card or clinical information, as detailed in Securities and Exchange Commission filings.
A breach that affected members of the State of Tennessee Group Insurance Program exposed similar data sets as the Community Health System incident, and avoided exposure of medical information, social security numbers and employee ID numbers. The attack gained access to an old online scheduler — which hadn’t been in use since the fall of 2013 — between January 4, 2014 and April 11, 2014, according to a letter sent to members of the insurance program. Affected members will receive one free year of identity theft protection.
Healthcare data breaches that put protected health information at risk haven’t been limited to a few instances. More than half (61%) of respondents to a 2013 EMC survey said their organization experienced a security breach, data loss, or unplanned down time in the 12 months preceding the survey. Nearly one-fifth (19%) reported security breaches in that same timeframe, costing them an average of $810,189.
Healthcare lags behind retail, utilities and finance as the industry with the lowest-rated security in a study done of those four markets. The analysis — performed by BitSight Technologies — put healthcare’s security score at 660, on a scale of 250 to 900, at the conclusion of the first quarter. That number was nearly 100 points fewer than the score finance earned.