Community Health Systems data hack hits 4.5 million Published duration 18 August 2014

image copyright Getty Images image caption Community Health Systems has 206 hospitals across the US

A major US hospital group said it was the victim of a cyber-attack resulting in the theft of 4.5 million people's personal data.

The attack, which Community Health Systems believed originated in China, happened in April and June this year.

The data included patient names, addresses, birthdates, telephone numbers and social security numbers.

The firm, which runs 206 hospitals in 29 states, is now in the process of notifying affected patients.

One security expert warned that the data could be used to steal people's identity.

The FBI confirmed to news agency Reuters that it was investigating the breach.

Community Health Systems stressed that it believed no medical or credit card records were taken.

News of the attack follows several warnings, from both law enforcement and security experts, that medical equipment is at risk from hack attacks due to poor security measures.

Community Health Systems said security group Mandiant, part of FireEye, advised the company that the techniques used were similar to those used by a well-known Chinese hacking group.

However, both Community Health Systems and Mandiant declined to elaborate on the identity of the group - nor would they say whether they believed the hackers were working on behalf of the Chinese government.

Personal impact

Lamar Bailey, director of security research and development at cybersecurity firm Tripwire, said the fact medical records and credit card details were not stolen will be of little comfort to those affected.

"When financial data is stolen, such as when credit card numbers are stolen from retailers, the retailer and card issuers are hit with the fraudulent charges and the costs for generating new cards.

"But when personal information is stolen - name, address, phone number, birthdates, and social security number - it impacts the person and not a company.

"This is the information needed for identity theft to allow criminals to open accounts in the names of the 4.5 million victims."