The Tennessee-based acute-care hospital chain Community Health Systems, Inc. (CHS), reported on August 18 that information on approximately 4.5 million patients was stolen from the company. CHS is one of the largest hospital groups in the country, operating 206 hospitals in 28 states. The company reported in a Form 8-K filed with the Securities and Exchange Commission that nonmedical patient identification information was stolen in a cyberattack that likely occurred in April and June of 2014. Although the information did not include patient credit card, medical or clinical information, the data is considered protected under the Health Insurance Portability and Accountability Act (“HIPAA”) because it includes patient names, addresses, birthdates, telephone numbers and Social Security numbers. Therefore, the event was reportable under HIPAA, CHS said in its filing. This incident is one of the largest HIPAA breaches ever, in terms of the number of patients affected.

The company believes the theft may have originated from China, and that the attacker used highly sophisticated malware and technology to attack the company’s computer network systems. The cyberattacker was then able to bypass the company’s security measures to copy and transfer certain patient data.

CHS reported that it has been working closely on an investigation with federal law enforcement authorities which may also lead to possible prosecution of the responsible parties. Remediation efforts employed by the company include completely eradicating the malware from its systems and implementing other remediation efforts designed to prevent this type of attack in the future. The company stated that it is providing the appropriate notification to affected patients and regulatory agencies as required by federal and state law. Additionally, it will be offering identify theft protection services to affected individuals.

Link to CHS’ Form 8-K: Entire Document.