4.5 Million Records Hacked
By Donna Cusano, Editor In Chief of Telehealth & Telecare Aware
Earlier this year [TTA 23 Apr] I commented on the fourth annual update from the Ponemon Institute plus a qualitative study from IS Solutions that contained mostly unwelcome news for healthcare IT departments in the US. Ponemon’s new estimate of data breaches’ cost per year: $5.6 billion. While making some progress in the existential threat that data breaches present to institutional and personal security, both reports also outlined the disconnect between HIT professionals busy dealing with and sealing off the mice of internal causes versus the looming, huge menace of the external criminal threat.
Today, we know that Godzilla stomped into town. Community Health Systems of Franklin, Tennessee claimed as part of a SEC regulatory filing that hackers originating in China breached sensitive information in 4.5 million patient records accumulated over five years during April and June using cyberattacks and sophisticated malware.
CHS discovered this in July and has been working with security firm Mandiant and Federal law enforcement. Their tracing back of the hackers’ M.O. is that they typically seek intellectual property on medical equipment and development software, but failing that raided patient names, addresses, birth dates, telephone numbers and Social Security numbers. The company owns, operates or leases 206 hospitals in 29 states, and management has offered affected patients identity theft protection programs.
The Modern Healthcare report quotes Mac McMillan of CynergisTek on increasing hacks aimed at healthcare institutions. Hospitals are “going to become a bigger and bigger target as the hacking community figures out it’s easier to hack a hospital than it is to hack a bank and you get the same information,” McMillan said. “I’m not sure healthcare is listening yet.”
This article was originally published on TeleHealth & Telecare Aware and is republished here with permission.
Update 20 Aug: Reuters reports that the hackers operating from China took advantage of the ‘Heartbleed’ bug by targeting vulnerabilities in the CHS virtual private network (VPN) used for employee remote access. The hackers used stolen credentials to enter the network and took it from there. The VPN used equipment from provider Juniper Networks. Reuters interviewed David Kennedy, chief executive of TrustedSec LLC, who also testified to Congress on the multitudinous security flaws of Healthcare.gov. One question: Heartbleed was discovered in April. It would have been logical for CHS’ IT security to be looking for it, and for an April attack to be discovered then. It was not discovered till July after a second attack.