Community Health Systems hacked; data for 4.5 million patients compromised

Community Health Systems reported to the Securities and Exchange Commission today that hackers in China have obtained patient names, addresses, birthdates, telephone numbers and social security numbers from 4.5 million of its patients between April and June.

CHS said in the report that while the stolen data violates HIPAA regulations, credit card and medical information was not included in the security breach. The company told the SEC that it has been working with a forensic investigation company, Mandiant, and together, confirmed the activity in July. Just before reporting to the SEC, CHS said it had “completed eradication of the malware from its systems” and finished implementation of remediation and protective systems.

CHS said it is contacting affected patients, most of whom they said were referred for or received services from physicians affiliated with CHS in the past 5 years. CHS will offer identity theft protection to all affected patients, the report said.

The publicly traded company, which owns 206 hospitals in 29 states, said it anticipates regulatory inquiries, remediation expenses and other possible litigation or liabilities, but it “does not believe this incident will have a material adverse effect on its business or financial results.”

The news comes on the heels of a Department of Justice announcement earlier this month that said CHS had agreed to pay $98.15 million to resolve lawsuits for allegedly “knowingly [billing] government health care programs for inpatient services that should have been billed as outpatient or observation services” between 2005 and 2010, according to the DOJ statement. The fine also included $9 million in remediation over allegations its subsidy, Laredo Medical Center in Texas, violated the Physician Self-Referral Law, also known as the Stark Law, for improperly billing Medicare.