Community Health Systems announced on Monday that hackers got access to personal information from about 4.5 million patients that were treated in rural and southeastern U.S. hospitals. Hackers in China are believed to be behind the cyber attack, and the reason why they stole the data is alarming.
The hackers were after the data to either to figure out how American doctors work or to steal identities.
The Chinese hackers did not steal medical data, but they did steal "non-medical patient identification data related to the Company's physician practice operations." The data included the names, addresses, birth dates, telephone numbers and most importantly, Social Security numbers. With the amount of people uninsured, this data can be worth a pretty penny.
Those without health insurance can get access to treatment by using the stolen information. "If I am one of the 50 million Americans who are uninsured ... and I need a million-dollar heart transplant, for $250 I can get a complete medical record including insurance company details," John Halamka, chief information officer of the Beth Israel Deaconess Medical Center and chairman of the New England Healthcare Exchange Network says.
An insured person would need to present a fake second form of ID, assuming the stolen identity's age, weight and height are in the same ballpark. After this, they could potentially be treated for their illness with their stolen identity.
Community Health Systems, which operates 206 hospitals in 29 states, said it was attacked by the data breach during April and June. The company called the hackers an "Advanced Persistent Threat" from China, which has been linked to previous attacks. Community Heath System hired the firm Mandiant to investigate the cyber attack.
It is hard to identify those who use stolen identities for medical treatment because of the way U.S. health networks and insurance systems are set up. The National Health Service of the U.K. for example, assigns an ID number that links the patient to centralized medical records to prevent false identities.
Halamka, who also runs the blog "Life as a healthcare CIO," says that health care CIO's are investing to beef up security to prevent cyber attacks. There is a maximum $1.5 million fine issued by the Department of Health and Human Services that companies could face for weak security regarding patient's personal information. "There's nothing like a million-dollar fine to be a wake-up call to enhance security," Halamka says.
Community Health Systems is expected to send a letter to its patients in the coming weeks.