A healthcare system spanning 29 states announced on Monday that cybercriminals operating from China stole information on approximately 4.5 million patients, including names, birth dates, and Social Security numbers.

Community Health Systems, which comprises 206 facilities in the southern and western states, announced the incident in an 8-K filing submitted to the Securities and Exchange Commission (SEC). The data breach likely stems from compromises in April and June of this year, involved sophisticated malware, and is apparently connected to China, the company stated.

"The attacker was able to bypass the Company’s security measures and successfully copy and transfer certain data outside the Company," CHS said in its 8-K filing. "Since first learning of this attack, the Company has worked closely with federal law enforcement authorities in connection with their investigation and possible prosecution of those determined to be responsible for this attack."

While attacks against US companies by nation-state attackers—usually with apparent affiliations with China—have become common, the cybercriminals usually seek out intellectual property and sensitive information on business or policy, not personal information on individuals. The stolen information includes patient names, addresses, birth dates, telephone numbers, and Social Security numbers, but not credit-card, medical, or clinical information, the filing stated.

The healthcare industry has suffered a large number of breaches, as documented by the US Department of Health and Human Services, but the CHS breach has topped them all. Previous large breaches include 1.1 million records stolen from the Montana Department of Public Health and Human Services, 780,000 records stolen from the Utah Department of Health, and 475,000 records stolen from the Puerto Rico Department of Health.

The attack should come as no surprise. Recent ratings released by security-rating firm BitSight found that the healthcare industry had more security issues and signs of breaches than any other industry, including the retail sector. Companies may not be able to avoid a compromise, but should be able to better protect their data, Aviv Raff, chief technology officer for security-services firm Seculert, said in a statement sent to Ars Technica.

"While the planting of the malware itself couldn't have been avoided, the attack should have been detected way before the attackers were able to exfiltrate the personal data of 4.5M people," he said. "This is another reason why enterprises are now moving from trying to prevent an attack, into detecting an attack as soon as possible."

Community Health Systems has involved federal law enforcement and incident-response firm Mandiant, the company stated. The US Computer Emergency Readiness Team (US-CERT), part of the Department of Homeland Security, is also involved in the investigation, the group said in a statement.