Cyberattacks on hospital system occurred in April, June

NEW YORK — Chinese hackers stole Social Security numbers, names and addresses from 4.5 million patients of Community Health Systems, the second-biggest for-profit U.S. hospital chain, according to the company.

The attacks occurred in April and June, the Franklin, Tenn.-based company said Monday in a U.S. regulatory filing. The hacker group originated from China and bypassed the company’s security system, making off with non-medical information from people who visited doctors’ offices associated with the company.

The hospital system includes Mesa View Regional Hospital in Mesquite.

“Unfortunately, we have joined numerous American companies and institutions who have been victimized by highly sophisticated, criminal cyber-attacks originating out of China,” Tomi Galin, a spokeswoman for Community Health, said in an e-mail. “Importantly, no patient medical or financial information was transferred as a result of this intrusion.”

Community Health is among several companies that have reported similar breaches. Supervalu Inc., a U.S. supermarket chain, said Aug. 15 that it suffered an attack that exposed customers’ credit- and debit-card information. The retailer Target was breached last year by Eastern European hackers who stole credit card numbers and other personal data from at least 70 million customers in one of the biggest retail hacking incidents in U.S. history.

The Chinese embassy in Washington said it wasn’t aware of the attack. “Chinese laws prohibit cyber crimes of all forms and Chinese government has done whatever it can to combat such activities,” Geng Shuang, an embassy spokesman, said in an e- mail. “Making groundless accusations at others is not constructive at all and does not contribute to the solution of the issue.”

One electronic security expert said the company could have better safeguarded the data. “There is no indication that this data was encrypted, which creates further challenges for the organization and the patients impacted,” JD Sherry, vice president for network security company Trend Micro, said in an e-mail.

Community Health said it hired electronic forensics specialist Mandiant, a subsidiary of FireEye, to investigate the incident and suggest security improvements. The hospital operator also is working with the FBI.

“We understand the significance of this and other recently announced cyber-intrusions by state actors and other cybercriminals and are committing significant resources and efforts to target, disrupt, dismantle and arrest the perpetrators,” FBI spokesman Joshua Campbell said in an e-mail.

Federal authorities and security experts have been tracking the Chinese state-sponsored group they believe is responsible for the breach over a period of several years. This is the first time the group has been linked to the theft of the kind of personal data in which cybercriminals specialize, according to a person familiar with the investigation.

Usually, the Chinese hacker group focuses on typical targets of industrial espionage, specializing in pharmaceutical companies and research related to the development of new drugs. It has occasionally targeted other sectors as well, according the person involved in the investigation, who agreed to speak only on condition of anonymity.

The Chinese embassy in Washington didn’t respond to an e- mail requesting comment.

Community Health said it’s notifying patients and will be offering identity theft protection services to them. The company said it doesn’t believe the electronic break-in will affect its business.

Sherry said the hospital chain will have to reassure patients after the hacking incident.

“The bigger financial impact is the soft costs of losing patient trust and confidence in their services, which can be extremely difficult to recover from,” Sherry said.