Community Health Systems’ data breach will likely be the first of many in health care

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://venturebeat.com/2014/08/18/chinese-hackers-pull-largest-healthcare-cyber-attack-on-record/

Data breaches at health care systems are on the rise, experts say, and
these will become more common in the coming years as more patient data goes
digital.

Community Health Systems, a large health care group that has 206 hospitals
in 29 states, said Monday that a cyberattack originating in China resulted
in the theft of Social Security numbers and other personal data belonging
to 4.5 million patients. The scale of the attack makes it the largest in
the U.S. since the Department of Health and Human Services began tracking
such events in 2009.

Hospitals and health insurance companies are accustomed to protecting data
against privacy breaches, but outright cybertheft may be a threat they’re
less prepared for.

In Community Health’s case, the data stolen didn’t contain any clinical
data or credit card data. But the thieves did manage to grab Social
Security numbers and other personal information, which crooks can
cross-referenced with other data to form a composite picture of a would-be
victim. It’s by using these composites that bad actors can steal identity
and assets.

Specifically, the data stolen from Community Health included patient names,
addresses, birth dates, and telephone numbers of patients who had seen
Community Health Systems doctors in the past five years. The firm says it’s
now talking to patients and regulatory agencies about what happened, and
the possible implications.

The Chinese group that staged the attack appears to be the same people who
have targeted databases of companies in other U.S. industries, said a
representative from FireEye Inc.’s Mandiant forensics unit, which led the
investigation of the attack in April and June.

The FBI, which is now investigating the case, said in April that health
care providers typically do not use the same high levels of security
technology as companies in other industries. Because of this, the bureau
warned, health care providers and payers could be targeted.

The health care industry includes more than just hospitals and insurance
companies. Health Information Exchanges, which store health data from
multiple hospital systems in a given region, may be a particularly tempting
target for hackers.

Also, a quickly growing class of digital health data companies stores or
manages more digital patient data in order to provide services to providers
or on their behalf. These companies almost always sign a “business
associate” agreement with the health care organization, linking the two
legally. So if a digital health company ends us suffering a data breach,
the hospital could, by extension, be held responsible.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!