River Region, parent company victim of cyber attack from China

Published 11:03 am Tuesday, August 19, 2014

Some of 4.5 million patients who had personal information hacked over the past five years while in hospitals owned by the parent company of River Region Medical Center included those who received care at the U.S. 61 North facility, a spokeswoman said Monday.

Community Health Systems reported Monday in a regulatory filing it was the victim of a cyber attack from China in which Social Security numbers and other personal data was stolen. It would be the largest attack of its type involving patient information since the U.S. Department of Health and Human Services began tracking breaches in 2009.

The transferred information did not include any medical information or credit card information, but it did include names, addresses, birthdates, telephone numbers and Social Security numbers, said Heather Butler, the hospital’s vice president of marketing and public relations.

Email newsletter signup

Sign up for The Vicksburg Post's free newsletters

Check which newsletters you would like to receive
  • Vicksburg News: Sent daily at 5 am
  • Vicksburg Sports: Sent daily at 10 am
  • Vicksburg Living: Sent on 15th of each month

“We take very seriously the security and confidentiality of private patient information and we sincerely regret any concern or inconvenience to patients.” Butler said in a statement late Monday. “Though we have no reason to believe that this data would ever be used, all affected patients are being notified by letter and offered free identity theft protection.”

The hackers belonged to a highly-organized group in China that targets the aerospace, defense, construction and engineering, technology, financial services and healthcare industries, according to reports published throughout the day Monday. The Franklin, Tenn.-based hospital chain said Mandiant forensics unit investigated the attack on its computers, which occurred in April and June. The attacker was “able to bypass the compay’s security measures and successfully copy and transfer certain data outside the company” using sophisticated malware, according to the filing with the Securities and Exchange Commission.

The other thefts also contained no credit card information but did involve names, addresses, birthdates, telephone numbers and Social Security numbers, all considered to be protected under the Health Insurance Portability and Accountability Act.

FBI spokesman Joshua Campbell told Reuters news service said his agency was investigating the Community Health case, but declined to elaborate.