Hack of hospital chain leads to theft of up to 4.5M users' data

Community Health Systems is targeted in a massive cyberattack leading to stolen Social Security numbers and patient names and addresses. It's believed the attack originated in China.

Dara Kerr Former senior reporter
Dara Kerr was a senior reporter for CNET covering the on-demand economy and tech culture. She grew up in Colorado, went to school in New York City and can never remember how to pronounce gif.
Dara Kerr
2 min read

Community Health Systems oversees 206 hospitals in 29 states. Community Health Systems

One of the biggest hospital groups in the US revealed Monday that it suffered a monumental security breach, which possibly led to 4.5 million patients' data being stolen, according to Reuters.

Community Health Systems, which oversees 206 hospitals in 29 states, said the stolen information includes Social Security numbers, patient names and addresses, telephone numbers, and birth dates, according to Reuters. This is the largest known attack to involve hospital patient information since the US government began tracking these types of data breaches in 2009.

"One possible goal of this attack is to facilitate future targeted attacks," Elysium Digital data security expert Joseph Calandrino told CNET. "The type of data that was stolen from the hospital system is often used to verify a person's identify. The exposure of this data creates a risk that the hackers could leverage it to gain access to other accounts and information."

It's believed the cyberattack originated in China, according to Reuters. Security firm Mandiant, which investigated the breach in April and June, said the hackers belong to a group that targets defense, engineering, financial services, and health care companies. It's unclear if these hackers are affiliated with the Chinese government.

Various security experts have long accused China of waging a cyberwar on US government and private company websites. A report by Mandiant released in 2013 linked China's People's Liberation Army to a large number of cyberattacks on US soil. However, the Chinese government has flatly denied that it is involved in cyber-espionage or hacking.

The cyberattack on Community Health Systems is just one of many over the past few months. Last December, retailer Target revealed 110 million people's data was stolen in a breach, and retailers Neiman Marcus and Michaels Stores were also attacked around the same time. Earlier this month, cybersecurity firm Hold Security identified what is arguably the largest known data breach in history, in which a Russian cybergang allegedly stole 1.2 billion username and password combinations and more than 500 million email addresses.

Community Health Systems told Reuters it stopped the cyberattack by removing the malicious software used by the hackers. The hospital group is currently notifying its patients of the breach.

CNET contacted Community Health Systems for more information, we'll update the story when we hear back.

Watch this: Community Health Systems hack affects 4.5M people