That would make the attack the largest of its type involving patient information since a U.S. Department of Health and Human Services website started tracking such breaches in 2009. The previous record, an attack on a Montana Department of Public Health server, was disclosed in June and affected about 1 million people.
Mandiant has tracked the group for four years and internally refers to it as "APT 18." When asked if the hackers were linked to the Chinese government, Carmakal said it was "a possibility" but declined to elaborate.
"They have fairly advanced techniques for breaking into organizations as well as maintaining access for fairly long periods of times without getting detected," he said.
The issue of Chinese state-sponsored hacking is highly sensitive. Tensions between Washington and Beijing have grown since May, when a U.S. grand jury indicted five Chinese military officers on charges they hacked into American companies for sensitive manufacturing secrets. China has denied the charges.
FBI spokesman Joshua Campbell said his agency was investigating the Community Health case, but declined to elaborate.
The Department of Homeland Security said it believed the incident was isolated to Community Health Systems, although it shared technical details about the attack with other healthcare providers. An agency official told Reuters it was too soon to say who was behind the attack.
"While attribution of this incident is still being determined by a range of partners, we caution against leaping to premature conclusions about who or how many actors are behind these activities," said the official, who was not authorized to discuss the investigation publicly.
The stolen information included patient names, addresses, birth dates, telephone numbers and Social Security numbers of people who were referred or received services from doctors affiliated with the hospital group in the last five years, the company said in a regulatory filing. It did not include medical or clinical information.
Cybersecurity has come under increased scrutiny at healthcare providers this year, both by law enforcement and attackers.
The FBI warned the industry in April that its protections were lax compared with other sectors, making it vulnerable to hackers looking for details that could be used to access bank accounts or obtain prescriptions.
Over the past six months Mandiant has seen a spike in cyber attacks on healthcare providers, although this was the first case it had seen in which a sophisticated Chinese group has stolen personal data, according to Carmakal.
Chinese hacking groups are known for seeking out intellectual property such as product design or information that might be of use in business or political negotiations.
Social Security numbers and other personal data are typically stolen by cybercriminals to sell on underground exchanges for use by others in identity theft.
"It’s hard to tell why these guys took the data or what they plan to do with it,” said Carmakal, whose firm monitors about 20 hacking groups in China.
Dmitri Alperovitch, chief technology officer with cybersecurity firm CrowdStrike, said Chinese hackers sometimes attack healthcare providers to obtain medical records of government officials and even potential intelligence assets.
"Maybe they were trying to get at the medical data, but for some reason they couldn’t, so they exfiltrated everything else, figuring that it might somehow be helpful," Alperovitch said.
The company said the stolen data did not include credit card numbers, or any intellectual property such as data on medical device development.
Community Health, which has 206 hospitals in 29 states, said it has removed malicious software used by the attackers from its systems and completed other remediation steps. It is now notifying patients and regulatory agencies, as required by law.
It also said it is insured against such losses and does not at this time expect a material adverse effect on financial results.
Community Health's stock rose 66 cents, or 1.3 percent, to close at $51.66 on the New York Stock Exchange on Monday.