Hospital Operator Reports 4.5 Million Patients’ Data Stolen in Cyberattack


The Tennessee-based acute-care hospital chain Community Health Systems, Inc. (CHS), reported on August 18 that information on approximately 4.5 million patients was stolen from the company. CHS is one of the largest hospital groups in the country, operating 206 hospitals in 28 states. The company reported in a Form 8-K filed with the Securities and Exchange Commission that nonmedical patient identification information was stolen in a cyberattack that likely occurred in April and June of 2014. Although the information did not include patient credit card, medical or clinical information, the data is considered protected under the Health Insurance Portability and Accountability Act (“HIPAA”) because it includes patient names, addresses, birthdates, telephone numbers and Social Security numbers. Therefore, the event was reportable under HIPAA, CHS said in its filing. This incident is one of the largest HIPAA breaches ever, in terms of the number of patients affected.

The company believes the theft may have originated from China, and that the attacker used highly sophisticated malware and technology to attack the company’s computer network systems. The cyberattacker was then able to bypass the company’s security measures to copy and transfer certain patient data.

CHS reported that it has been working closely on an investigation with federal law enforcement authorities which may also lead to possible prosecution of the responsible parties. Remediation efforts employed by the company include completely eradicating the malware from its systems and implementing other remediation efforts designed to prevent this type of attack in the future. The company stated that it is providing the appropriate notification to affected patients and regulatory agencies as required by federal and state law. Additionally, it will be offering identify theft protection services to affected individuals.

Link to CHS’ Form 8-K: Entire Document.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Faegre Baker Daniels | Attorney Advertising

Written by:


Faegre Baker Daniels on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.