Hacked Hospital Network Includes Outstate Missouri Hospitals

Laura Gerdes Long

By Laura Gerdes Long

4.5M Records Stolen, HIPAA violation

In June 2014, hackers in China used high-end, sophisticated malware to launch criminal cyber-attacks to access patient information from a national hospital system. Community Health Systems, Inc. (“CHS”), operates 206 hospitals across the U.S. in 29 states, including four located in Missouri (Kennett, Kirksville, Moberly, and Poplar Bluff). The breached data is considered protected health information under the Health Insurance Portability and Accountability Act (“HIPAA”).

In a filing with the U.S. Securities and Exchange Commission, CHS said the attacker was an “Advanced Persistent Threat” group which bypassed CHS’ security measures, successfully copying and transferring certain data outside CHS. Although CHS has confirmed that this data did not include patient credit card, medical, or clinical information, the breach does include patient names, addresses, birth dates, telephone numbers and Social Security numbers. CHS has been working closely with federal law enforcement authorities in connection with their investigation and potential prosecution of those determined to be responsible for this attack.

Under various state and federal laws, CHS is obligated to notify affected patients. The Department of Health and Human Services provides a web page describing the breach notification requirements of covered entities to effected individuals, the Secretary of Health and Human Services, and, in certain circumstances, to the media. Immediately prior to the filing of the report with the SEC, CHS completed eradication of the malware from its systems and finalized implementation of other remediation efforts that are designed against future intrusions of this type. Additionally, CHS will be offering identity theft protection services to individuals affected. CHS also carries cyber/privacy liability insurance to protect it against certain losses related to matters of this nature.

This breach is just one of many to take place in recent months, highlighting the need for health care organizations to firm up their preparedness plans as security of information in health care is a constant source of concern. According to a report from security rating firm BitSight Technology, health care industries saw the largest growth in security incidents from April 2013 to March 2014, but also the slowest response.

Posted by Attorney Laura Gerdes Long. Long practices in tort, insurance defense, legal malpractice, health care, and employment law. Well-versed in employment law policies and processes related to HIPAA, she serves as a trainer and advisor to health care providers, insurers, self-insured employers, and municipalities.


Comments are closed.