Chinese hackers infiltrated a computer network linking hundreds of hospitals across the United States and stole the personal information of 4.5 million patients. Targeting hospitals is just the latest evidence Chinese cybercriminals are investigating new ways to steal Americans’ personal information and trade secrets.
Community Health Systems, or CYH, which operates 206 hospitals throughout the United States, said in a Securities and Exchange Commission filing obtained by CNN Monday that anyone who received treatment from a physician’s office affiliated with a CYH-owned hospital in the past five years should investigate whether their information has been used without their consent. CYH hospitals are in 28 states but congregated most heavily in Alabama, Florida, Pennsylvania and Texas.
The hackers stole patient names, Social Security numbers, physical addresses, birth dates and telephone numbers. This critical information, which is often used as currency among shadowy international hackers groups, is almost always stolen for the purpose of identity fraud, allowing thieves to open bank accounts and credit cards on the victim’s behalf.
The FBI and the cybersecurity firm Mandiant are investigating the hack, with an FBI investigator telling CNN the government is “committing significant resources and efforts to target, disrupt, dismantle and arrest the perpetrators.”
CYH asserted in its SEC filing the hack was conducted by an “advanced persistent threat” group originating in China. That term is significant because it describes an elite group of hackers believed affiliated with the Chinese People’s Liberation Army and the same group that conducted a series of hacks against federal agencies earlier this year.
Continue Reading Below
Whether the FBI is investigating based on the same “advanced persistent threat” premise is unclear. Requests for comment from Mandiant went unanswered.
Such reports have become routine in the age of information. With so many major retailers admitting they’ve been hacked, the news fails to even register with many customers, many of whom could be affected. Yet the 4.5 million records stolen in this case (a minor blip compared to the more than 100 million identities stolen from Target during last year’s holiday season) are a reminder hospitals and other networks with sensitive secrets are attracting extra scrutiny from foreign firms.
“Medical records provide identity theft on a platter,” Bill Tanenbaum, a New York attorney with the firm Kaye Scholar practicing focuses on data security privacy and corporate transactions, told International Business Times when asked why a hospital would be a target.
“Names, addresses, Social Security numbers, mothers’ maiden names and credit card information for insurance co-payments are all available in one place and provide both convenience and completeness for a cyberhacker, whether or not any medical treatment history is exposed or stolen,” he added. “Another reason why patient health care is stolen is because hackers resell insurance or medical profiles to allow third parties to get medical treatment and have someone else’s insurance or Medicare credentials pay for it.”
This incident also recalls a recent study highlighted by Wired that found some of the most crucial hospital equipment is susceptible to hacking. Of the most alarming insights found by Essentia Health, which operates approximately 100 health care facilities in the Midwest, were the revelations chemotherapy and antibiotic drips can be remotely infiltrated by hackers wishing to change a patient’s dosage, Bluetooth-enabled defibrillators can be overridden to deliver random shocks, and temperature settings on blood-storing refrigerators can be changed.
“Many hospitals are unaware of the high risk associated with these devices,” Essentia information security head Scott Erven told the magazine upon completion of the two-year study earlier this year. “Even though research has been done to show the risks, health care organizations haven’t taken notice. They aren’t doing the testing they need to do and need to focus on assessing their risks.”