Easton Hospital's parent company says personal data of 4.5M patients stolen in Chinese cyberattack

Personal information on a number of Easton Hospital patients — including their names and Social Security numbers — was stolen in a cybertheft that likely originated in China, the hospital's parent company announced Monday.

According to Community Health Systems, based in Franklin, Tenn., cyberthieves stole personal data belonging to 4.5 million patients in April and June.

The stolen information included patient names, addresses, birth dates, phone numbers and Social Security numbers of people who were referred for — or received services from — doctors affiliated with the hospital group in the last five years, the company said in a regulatory filing Monday.

Locally, Easton Hospital said in a statement that the identities of "some patients" who were seen at Northampton Physician Services in Bethlehem Township were compromised. The hospital said all affected patients have been notified and were offered free identity theft protection.

"We take very seriously the security and confidentiality of private patient information, and we sincerely regret any concern or inconvenience this event may cause for our patients," the statement says.

The attack is the largest of its type involving patient information since a U.S. Department of Health and Human Services website started tracking such breaches in 2009. The previous record — an attack on a Montana Department of Public Health server — was disclosed in June and affected about 1 million people.

The attackers appear to be from a sophisticated hacking group in China that has breached other major U.S. companies across several industries, said Charles Carmakal, managing director with FireEye Inc.'s Mandiant forensics unit, which led the investigation of the attack on Community Health in April and June.

"They have fairly advanced techniques for breaking into organizations as well as maintaining access for fairly long periods of times without getting detected," he said.

Carmakal and officials with Community Health Systems declined to name the group or say if it was linked to the Chinese government, which U.S. businesses and officials have long accused of orchestrating cyberespionage campaigns around the globe.

In May, a U.S. grand jury indicted five Chinese military officers on charges they hacked into U.S. companies for sensitive manufacturing secrets, the toughest action taken by Washington to address cyberspying to date. China has denied the charges.

Community Health Systems, one of the biggest U.S. hospital groups, said in the filing that investigators have told it that the Chinese group believed to be behind the attack typically seeks valuable intellectual property, such as medical device and equipment development data.

Community Health Systems spokeswoman Tomi Galin told Reuters that the suspects had not stolen that type of information.

FBI spokesman Joshua Campbell said his agency was investigating the case, but declined to elaborate.

The filing said the stolen data did not include credit card numbers, medical or clinical information, though the types of personal information stolen were still covered by the U.S. government's Health Insurance Portability and Accountability Act, or HIPAA.

The FBI had warned health care providers in April that their cybersecurity systems were lax compared with other sectors, making them vulnerable to hackers looking for details that could be used to access bank accounts or obtain prescriptions.

But in its statement, Easton Hospital said the federal government has to do more for cybersecurity.

"It is up to the federal government to create a national cyberdefense that can prevent this type of criminal invasion from happening in the future," the hospital says..

Community Health, which has 206 hospitals in 29 states, said it has removed malicious software used by the attackers from its systems and completed other remediation steps. It is now notifying patients and regulatory agencies, as required by law.

The company said it is insured against such losses and does not at this time expect a material adverse effect on financial results.

tim.darragh@mcall.com