More than four million patient names, addresses, telephone and Social Security numbers and birth dates were stolen in a criminal cyber attack on a health system with facilities in Southern Illinois.
Community Health Systems Inc., based in Franklin, Tennessee, announced the breach Monday, but said the attack is believed to have occurred in April and May.
No medical records or credit card numbers were taken in the attack, but hackers accessed the personal identification information of certain patients who were referred to or received care from physicians affiliated with the system over the past five years, the company reported in a regulatory filing.
The company has three local hospitals including Heartland Regional Medical Center in Marion, Union County Hospital in Anna, and Crossroads Community Hospital in Mount Vernon.
Spokeswomen for Heartland and Union County said hospital patients were not affected by the cyber attack and the company is looking at affiliated clinics in the region to see which, if any, were affected by the breach.
Messages left for a Crossroads spokeswoman were not returned.
“We take the security and confidentiality of our patients very seriously,” said Jennifer Lee, Heartland’s director of marketing and business development.
Those patients affected by the cyber attack, believed to have originated in China, will be contacted by the company. Steps were also taken to make sure such a breach happens again.
“Though we have no reason to believe that this data would ever be used, all affected patients are being notified by letter and offered free identity theft protection,” Union County Hospital spokeswoman Mary Nash-Swink said in an email. “The intruder used highly sophisticated methods to bypass security systems. The intruder has been eradicated and applications have been deployed to protect against future attacks. We are working with federal law enforcement authorities in their investigation and will support prosecution of those responsible for this attack.”
Identity theft is the biggest worry for affected patients, according to attorney Lucie F. Huger of Greensfelder, Hemker & Gale P.C. in St. Louis. Part of Huger’s practice involves addressing data breaches and working to prevent them from occurring.
The theft of identifying information from more than four million patients is “very significant,” she said. “Names, addresses, telephone numbers, Social Security numbers and birth dates? When that information is stolen it could lead to identity theft — and that’s what everybody is and should be concerned about.”
Affected patients should sign up for the theft protection services and monitor their personal credit information closely, she said.
“They need to be very vigilant and understand what’s in their credit history now and in the future,” Huger said. “If they notice anything suspicious, they need to notify law enforcement. Don’t wait. Act promptly.”
The attack should also serve as a reminder for all companies to make sure such data is secure.
“Consumers often have to disclose this information to get services and they rely on these companies to make sure their information is secure,” she said. “This should be a wake-up call. No matter your size or location, you are vulnerable to an attack. Companies have to make sure the data they have is secure and that companies they work with have data security and are taking it as seriously as they are.”
Companies should have policies and processes in place to prevent such breaches and that often means working with experts, Huger said.
“Data security evolves, so they need to stay on top of it,” she said.