NEW YORK (CNNMoney) — Community Health Systems, which operates 206 hospitals across the United States, announced on Monday that hackers recently broke into its computers and stole data on 4.5 million patients.
Hackers have gained access to their names, Social Security numbers, physical addresses, birthdays and telephone numbers.
Anyone who received treatment from a network-owned hospital in the last five years — or was merely referred there by an outside doctor — is at risk.
The large data breach puts these people at heightened risk of identity fraud. That allows criminals open bank accounts and credit cards on their behalf, take out loans and ruin personal credit history.
Here is a list of Community Health Systems hospitals in Oklahoma:
- Deaconess Hospital – Oklahoma City, Okla.
- INTEGRIS Blackwell Regional Hospital – Blackwell, Okla.
- INTEGRIS Clinton Regional Hospital – Clinton, Okla.
- INTEGRIS Marshall County Medical Center – Madill, Okla.
- INTEGRIS Mayes County Medical Center – Pryor, Okla.
- INTEGRIS Seminole Medical Center – Seminole, Okla.
- Medical Center of Southeastern Oklahoma – Durant, Okla.
- Midwest Regional Medical Center – Midwest City, Okla.
- Ponca City Medical Center – Ponca City, Okla.
- Woodward Hospital – Woodward, Okla.
“What makes this unique is that it is hospitals,” Al Heitkamper, a cyber security professor at Oklahoma City Community College, said Monday. “Because of the whole HIPAA (Health Insurance Portability and Accountability Act) issue, hospitals know that they need to protect patient information.”
Community Health Systems hired cybersecurity experts at Mandiant to consult on the hack. They have determined the hackers were in China and used high-end, sophisticated malware to launch the attacks sometime in April and June this year.
The FBI said it’s working closely with the hospital network and “committing significant resources and efforts to target, disrupt, dismantle and arrest the perpetrators.”
Federal investigators and Mandiant told the hospital network those hackers have previously been spotted conducting corporate espionage, targeting valuable information about medical devices.
But this time, the hackers stole patient data instead. Hackers did not manage to steal information related to patients’ medical histories, clinical operations or credit cards.
Still, the lost personal information is protected by the Health Insurance Portability and Accountability Act, the federal health records protection law. That means patients could sue the hospital network for damages.
As for exposed victims protecting themselves? There’s little they can do. They won’t be truly protected from fraud until numerous government agencies, credit bureaus, banks, data brokers and others update their systems.
“Most people don’t realize that their identity has already been stolen. There’s so much information that you give away freely,” Heitkamper said. “The big question is, when will it be used?”
Making matters worse, Community Health Systems said it will provide notification to the 4.5 million patients “as required by federal and state law,” which is inconsistent and varies by region. There is no federal data breach law that requires timely and transparent disclosure that sensitive personal information was lost.
Shares of the publicly-traded Community Health Systems edged lower Monday morning. But the company tried to stem worries about the damages in a filing Monday with the Securities and Exchange Commission, saying that it “carries cyber/privacy liability insurance to protect it against certain losses related to matters of this nature.”
The hospital network said that just before Monday’s announcement, it managed to wipe the hackers’ malware from its computer systems and implemented protections to prevent similar break-ins.
The company plans to offer identity theft protection to the 4.5 million victims of the data breach.
A spokesperson for Midwest Regional Medical Center in Midwest City said they weren’t affected.
INTEGRIS said at this time, they believe their hospitals were not affected either.
Ponca City Medical Center spokesman, Eric Lybarger, says ” Limited personal identification data belonging to some patients who were seen at our affiliated physician practices and clinics over the past five years was transferred out of our organization in a criminal cyber attack”
Lybarger also tells KFOR no hospital files were breached and all patients affected will be sent letters by the end of August.
Deaconess Hospital sent a statement, saying “…limited personal identification data belonging to patients seen at Deaconess Physician Services Clinic Corporation was transferred out of our organization in a criminal cyber attack. The breach did not affect patients of Deaconess Hospital.”
Heitkamper said make sure your computer’s anti-virus is up to date, shred those receipts, and check your free credit report every four months.