The stolen data includes records for patients of who have seen doctors affiliated with the company in the past five years.
Mandiant, a cybersecurity firm hired by the company, believes the attacks originated in China. The FBI is also investigating the break-in.
Between April and June, hackers bypassed the company’s security systems and stole personal data including names, addresses, birth dates, telephone numbers and social security numbers. The stolen information did not include patients’ credit card numbers, medical or clinical data.
The theft was unusual for Chinese hackers “known for seeking intellectual property, such as product design, or information that might be of use in business or political negotiations,” Reuters said. “Social Security numbers and other personal data are typically stolen by cybercriminals to sell on underground exchanges for use by others in identity theft.”
The hacking group wasn’t named in the filing, but Charles Carmakal, managing director of Mandiant, told Bloomberg in an e-mail that the group, which he identified as “APT 18,” “typically targets companies in the aerospace and defense, construction and engineering, technology, financial services, and health-care industry.”
Another cybersecurity firm, Crowdstrike, which has been tracking the group for four years, told Reuters it believes the hackers are either backed by Beijing or work directly for the government based on the targets they have chosen. The firm’s chief technology officer, Dmitri Alperovitch, said “APT 18,” also known as “Dynamite Panda,” has “above average skill” among Chinese hackers.
So why are sophisticated hackers known for corporate espionage turning to identity theft?
Bloomberg’s Michael Riley and Jordan Robertson spoke with someone familiar with the investigation and said there are a couple of theories. The hackers might have “stolen the information for the purposes of locating new targets or adding private data to the profiles of existing targets.” The more likely explanation is that rogue members of the hacking group stole the data without approval from their superiors in hopes of selling it on the black market for extra cash.
According to the New York Times, security experts have warned that digitization of medical records would invite hackers. The U.S. Health and Human Services Department keeps track of breaches of private health data affecting 500 or more people. Using the data, computer virus researchers Stephen Cobb of ESET calculated that every day last year 24,800 Americans had protected health information exposed, the Times said.
Mandiant told Reuters it has seen a spike in cyberattacks on healthcare providers in the past six months. The FBI has warned the industry of its vulnerability.
Community Health discovered the hack in July and has since removed the malware from its systems. The company also said in the regulatory filing that it has beefed up its security systems.
As required by law, patients whose information was stolen will be notified. The company will also offer identity theft protection services.
The company has liability insurance and doesn’t expect the take a major financial hit as a result of the incident.
China has denied similar attacks in the past, but did not respond to Bloomberg’s request for comment.