Elizabeth Weise

USATODAY

SAN FRANCISCO — A rural health company with hospitals across the nation on Monday said hackers, possibly from China, had gotten the names, addresses, birth dates, telephone numbers and Social Security numbers of about 4.5 million patients.

Community Health Systems, based in Franklin, Tenn., said the attack occurred in April and June.

In a filing with the U.S. Securities and Exchange Commission on Monday, the company said the attacker was an "Advanced Persistent Threat" group, possibly based in China. It used "highly sophisticated malware and technology to attack the company's systems," the filing said.

The company's forensic computer experts at Mandiant said the Chinese hacking group "was able to bypass the company's security measures and successfully copy and transfer certain data outside the Company."

The company has since eradicated the malware from its computer system and protected it against attacks of the same type, it said.

Federal authorities told the company the same hacking group has typically sought valuable intellectual property, such as medical device and equipment development data from other medical centers.

But in this case, they were only able to get patient identification data related to the company's physician practice operations.

That included information about approximately 4.5 million individuals who were referred for or received services from physicians affiliated with the company in the last five years.

No credit card information or medical data was included in the breach.

However, the information was considered protected under the Health Insurance Portability and Accountability Act (HIPAA) because it includes patient names, addresses, birth dates, telephone numbers and Social Security numbers.

Too few health care companies invest in computer security, said Philip Lieberman, president of Lieberman Software in Los Angeles. He noted the FBI had warned health care companies in April that the sector's cybersecurity was lax. HIPAA does little to protect patients and offers companies little incentive to invest in computer security — and too many haven't done so, he said.

Still, says Trey Ford, a security strategist at Rapid7, a security analysis firm in Boston, "hospitals are arguably one of the hardest network environments to secure; their primary focus is on protecting and improving human life, and this often eclipses all other priorities," he said.

Community Health Systems said it is notifying affected patients. It is one of the largest networks of hospitals in the nation, with 206 hospitals in 29 states.