WILKES-BARRE — A cyber attack on Community Health Systems Inc., which owns hospitals and medical practices in the Wyoming Valley and surrounding communities, has resulted in 4.5 million patients being affected nationwide.
According to a report the company filed Monday with the U.S. Securities and Exchange Commission, the attack took place in April and June.
CHS and its forensic expert, Mandiant, believe that the attacker was an “advanced persistent threat” originating from China. The group allegedly used highly sophisticated malware and technology to attack the company’s computer systems, and was able to bypass security measures to copy and transfer certain data from the company.
Based in Franklin, Tennessee, CHS owns or leases 206 hospitals in 29 states, including: Wilkes-Barre General Hospital; First Hospital in Kingston; Regional Hospital and Moses Taylor Hospital, both in Scranton; and Berwick Hospital and Tyler Memorial Hospital in Tunkhannock. In those hospitals, CHS spokeswoman Renita Fennick said there’s a workforce of about 6,000.
CHS has 20 affiliated hospitals across Pennsylvania, including in York, Philadelphia, Lancaster and Easton.
According to a statement CHS released late Monday afternoon, the attack does not involve Commonwealth Health-affiliated hospital-specific data, Physicians Health Alliance, Great Valley Cardiology or InterMountain Medical Group practices.
“Limited personal identification data belonging to some patients who were seen at the Berwick Medical Professionals practices, Wilkes-Barre Academic Medicine Clinic, Wyoming Valley Surgical Associates, Wilkes-Barre Neurosurgical Associates, Scranton Clinic Company and Wilkes-Barre Clinic Company over the past five years was transferred out of our organization in a criminal cyber attack by a foreign-based intruder,” CHS said in the statement.
The transferred information did not include any medical information or credit card information, but it did include names, addresses, birthdates, telephone numbers and Social Security numbers, CHS said.
Patients who have been affected will receive a letter from their physician’s office. A toll-free number (1-855-205-6951) will be set up to answer patients’ questions.
“We take very seriously the security and confidentiality of private patient information and we sincerely regret any concern or inconvenience this event may cause our patients. Though we have no reason to believe that this data would ever be used, all affected patients are being notified by letter and offered free identity theft protection,” CHS said.
CHS officials believe the intruder was a foreign-based group out of China that was likely looking for intellectual property.
“The intruder used highly sophisticated methods to bypass security systems. The intruder has been eradicated and applications have been deployed to protect against future attacks. We are working with federal law enforcement authorities in their investigation and will support prosecution of those responsible for this attack,” CHS said.
The breached data is considered protected under the Health Insurance Portability and Accountability Act (HIPPA) because it includes patient names, addresses, birth dates, telephone numbers and social security numbers, CHS said.
CHS carries liability insurance to protect it against losses from cyber attacks, and company officials do not believe that the attack will have a negative affect on business or financial results.
Times Leader staff writer Steve Mocarsky contributed to this report.