Community Health Systems, Inc., announced yesterday in a filing to the Securities and Exchange Commission that its computer network was targeted by cyber criminals believed to be from China. The attackers reportedly used malware and technology to transfer protected health information outside of the company’s systems from April to June of 2014. Community Health Systems, which has 206 hospitals in 29 states from Alaska to Florida, said that the breach affected physician practice operations and individuals who “were referred for or received services from physicians affiliated” with the company in the last five years. The patient identification information that was the subject of the breach included patient names, addresses, dates of birth, phone numbers, and social security numbers. To mitigate the breach, the company notified federal law enforcement and hired a forensic expert to investigate and implement protections against future attacks.
The breach rule implementing the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) requires notification of the affected individuals within 60 days of a discovery of a breach. Additionally, breaches involving the unsecured protected health information of 500 or more individuals must be reported to the media and the U.S. Department of Health and Human Services within 60 days of discovery. The hospital system’s announcement demonstrates that the breach rule is applicable even in cases where patient medical and clinical information is not part of the protected health information that was the subject of the breach.