Longview, Lufkin hospital affected in network data hack
POSTED: Monday, August 18, 2014 - 7:00pm
UPDATED: Tuesday, August 19, 2014 - 10:39am
4.5 million records stolen
(KETK/CNN) — Editor's Note: A statement from Longview Regional Medical Center and Lufkin Regional Medical Center can be found at the bottom of this report. Attached is a copy of the Community Health Systems Form 8-K about the incident.
Two East Texas hospitals were affected when hackers took millions of patients information during a recent hack attack: Longview Regional Medical Center and Woodland Heights Medical Center in Lufkin.
Community Health Systems, which operates 206 hospitals across the United States, announced on Monday that hackers recently broke into its computers and stole data on 4.5 million patients.
Hackers have gained access to their names, Social Security numbers, physical addresses, birthdays and telephone numbers.
Anyone who received treatment from a network-owned hospital in the last five years -- or was merely referred there by an outside doctor -- is affected.
The large data breach puts these people at heightened risk of identity fraud. That allows criminals to open bank accounts and credit cards on their behalf, take out loans and ruin personal credit history.
The company's hospitals operate in 28 states but have their most significant presence in Alabama, Florida, Mississippi, Oklahoma, Pennsylvania, Tennessee and Texas.
Community Health Systems hired cybersecurity experts at Mandiant to consult on the hack. They have determined the hackers were in China and used high-end, sophisticated malware to launch the attacks sometime in April and June this year.
Federal investigators and Mandiant told the hospital network those hackers have previously been spotted conducting corporate espionage, targeting valuable information about medical devices.
But this time, the hackers stole patient data instead. Hackers did not manage to steal information related to patients' medical histories, clinical operations or credit cards.
Still, the lost personal information is protected by the Health Insurance Portability and Accountability Act, the federal health records protection law. That means patients could sue the hospital network for damages.
Shares of the publicly-traded Community Health Systems edged lower Monday morning. But the company tried to stem worries about the damages in a filing Monday with the Securities and Exchange Commission, saying that it "carries cyber/privacy liability insurance to protect it against certain losses related to matters of this nature."
The hospital network said that, it managed to wipe the hackers' malware from its computer systems and implemented protections to prevent similar break-ins.
The network plans to offer identity theft protection to the 4.5 million victims of the data breach.
Both East Texas hospitals released the following statement to KETK:
Limited personal identification data belonging to some patients who were seen at physician practices and clinics affiliated with Longview Regional Medical Center over the past five years was transferred out of our organization in a criminal cyber attack by a foreign-based intruder. The transferred information did not include any medical information or credit card information, but it did include names, addresses, birthdates, telephone numbers and social security numbers.
We take very seriously the security and confidentiality of private patient information and we sincerely regret any concern or inconvenience to patients. Though we have no reason to believe that this data would ever be used, all affected patients are being notified by letter and offered free identity theft protection.
Our organization believes the intruder was a foreign-based group out of China that was likely looking for intellectual property. The intruder used highly sophisticated methods to bypass security systems. The intruder has been eradicated and applications have been deployed to protect against future attacks. We are working with federal law enforcement authorities in their investigation and will support prosecution of those responsible for this attack.
Many American companies and organizations have been victimized by foreign-based cyber intrusions. It is up to the Federal Government to create a national cyber defense that can prevent this type of criminal invasion from happening in the future.
Patients who are affected will receive a letter notifying them that their data was included and stated within the letter will be a phone number for them to utilize.
According to the Better Business Bureau, patients should keep checking their bank statements and monitor information closely. They also recommend the public checks credit reports once or twice a year.
if you suspect you are victim of identity theft, follow these three steps immediately:
- Place a fraud alert with all 3 credit bureaus (Equifax, Transunion, Experian).
- Order a copy of your credit report.
- Create an Identity Theft Report with the FTC and your local police department.