Heartbleed Bug – How Community Health Systems was hacked for 4.5 million Patients’ data

Last week Community Health Systems (CHS), a hospital system containing a 206 hospital network, the second largest in the United States, announced that hackers stole data on 4.5 million patients. The hacker, who operated out of China gained access to names, Social Security numbers, physical addresses, birthdays, and telephone numbers of anyone who received treatment from a network-owned hospital within the last five years.

Fortunately, however, hackers did not gain access to information on patient’s credit card, medical, or clinical information. This theft is believed to have taken place sometime between April and June 2014.

This is not the first data breach this hospital system has experienced. Definitive Healthcare also reports that CHS has had data breaches in their facilities, Flowers Hospital and Lake Granbury Medical Center. The incident in Flowers Hospital, of Alabama involved an employee’s theft of 700 patients’ papers in an attempt for fraudulent tax returns, while the incident with Lake Granbury Medical Center, of Texas, involved a paper theft involving 502 individuals. These hacks occurred in 2013 and 2012 respectively.

For this most recent CHS attack, it is believed that hackers in China were using “highly sophisticated malware and technology” to attack the systems. The FBI said that the intruder sought “valuable intellectual property, such as medical device and equipment development data.”

As the situation is investigated further, reports from BBC News, among others, are now attributing the breach to the Heartbleed bug. If confirmed, this would be the biggest identified breach relating to this bug.

This situation is an important indicator of how we must continue to address security concerns. Keeping patient data and personal information both confidential and secure should be one of our health system’s top priorities.