Hospital giant Community Health Systems said on Monday that the personal information of nearly 4.5 million patients was stolen by hackers in an attack believed to originate from China.

In a filing with the U.S. Securities and Exchange Commission, the company, which operates 206 hospitals in 29 states, reported that the hackers used “sophisticated malware” to attack the company’s security systems and copy and transfer hospital data.

The company used cybersecurity firm Mandiant to investigate the incident which it believes occurred in April and June.



In the filing, the company reports that all malware has been removed from its systems and is currently making further provisions to protect against future attacks. Federal authorities and Mandiant report that these attacks usually involve the theft of “valuable intellectual property, such as equipment and medical device development data,” but that non-medical patient identification information like names and addresses was stolen.

The company said this information “does not include patient credit card, medical or clinical information,” but is still protected under the Health Insurance Portability and Accountability Act (HIPAA). In response to the breach, the company has notified people whose information was stolen, and is offering them identify theft protection services. Community Health Systems is insured to protect itself from these kinds of attacks, and does not believe its “business or financial results” will be affected.

This is the latest in a string of recent U.S. cybersecurity attacks. The U.S. Investigation Services (USIS), the main provider of background checks in the U.S., reported an attack on its corporate network earlier this month - possibly launched by a foreign power.