By Jim Finkle and Caroline Humer
BOSTON/NEW YORK Aug 18 Community Health Systems
Inc, one of the biggest U.S. hospital groups, said on
Monday it was the victim of a cyber attack from China, resulting
in the theft of Social Security numbers and other personal data
belonging to 4.5 million patients.
Security experts said the hacking group, known as "APT 18,"
may have links to the Chinese government.
"APT 18" typically targets companies in the aerospace and
defense, construction and engineering, technology, financial
services and healthcare industry, said Charles Carmakal,
managing director with FireEye Inc's (FEYE.O) Mandiant forensics
unit, which led the investigation of the attack on Community
Health in April and June.
"They have fairly advanced techniques for breaking into
organizations as well as maintaining access for fairly long
periods of times without getting detected," he said.
The information stolen from Community Health included
patient names, addresses, birth dates, telephone numbers and
Social Security numbers of people who were referred or received
services from doctors affiliated with the hospital group in the
last five years, the company said in a regulatory filing.
The stolen data did not include medical or clinical
information, credit card numbers, or any intellectual property
such as data on medical device development, said Community
Health, which has 206 hospitals in 29 states.
The attack is the largest of its type involving patient
information since a U.S. Department of Health and Human Services
website started tracking such breaches in 2009. The previous
record, an attack on a Montana Department of Public Health
server, was disclosed in June and affected about 1 million
people.
Chinese hacking groups are known for seeking intellectual
property, such as product design, or information that might be
of use in business or political negotiations.
Social Security numbers and other personal data are
typically stolen by cybercriminals to sell on underground
exchanges for use by others in identity theft.
Over the past six months Mandiant has seen a spike in cyber
attacks on healthcare providers, although this was the first
case it had seen in which a sophisticated Chinese group has
stolen personal data, according to Carmakal. Mandiant monitors
about 20 hacking groups in China.
NEW SCRUTINY
Cybersecurity has come under increased scrutiny at
healthcare providers this year, both by law enforcement and
attackers.
The FBI warned the industry in April that its protections
were lax compared with other sectors, making it vulnerable to
hackers looking for details that could be used to access bank
accounts or obtain prescriptions.
Mandiant has tracked "APT 18" for four years. When asked if
the hackers were linked to the Chinese government, Carmakal said
it was "a possibility" but declined to elaborate.
Another cybersecurity firm, CrowdStrike, which has also been
monitoring "APT 18" for about four years, said it believes the
hackers are either backed by Beijing or work directly for the
government, based on the targets they have chosen.
CrowdStrike Chief Technology Officer Dmitri Alperovitch said
his firm has seen "APT 18" targeting human rights groups and
chemical companies.
"They are of above average skill" among Chinese hackers,
said Alperovitch, whose company dubbed the group "Dynamite
Panda."
The issue of Chinese state-sponsored hacking is highly
sensitive. Tensions between Washington and Beijing have grown
since May, when a U.S. grand jury indicted five Chinese military
officers on charges they hacked into American companies for
sensitive manufacturing secrets. China has denied the charges.
FBI spokesman Joshua Campbell said his agency was
investigating the Community Health case, but declined to
elaborate.
The Department of Homeland Security said it believed the
incident was isolated, although it shared technical details
about the attack with other healthcare providers. An agency
official told Reuters it was too soon to say who was behind the
attack.
Community Health said it has removed malicious software used
by the attackers from its systems and completed other
remediation steps. It is now notifying patients and regulatory
agencies, as required by law.
The company said it is insured against such losses and does
not at this time expect a material adverse effect on financial
results. Community Health's stock rose 66 cents, or 1.3 percent,
to close at $51.66 on the New York Stock Exchange on Monday.
