Hackers grab 4.5 million patient IDs from system
A Tennessee-based health system is learning the hard way that protecting patient data is a never-ending job.
In addition to the now almost routine incidents of employees losing laptop computers or hard drives, hospitals are facing off with determined and sophisticated computer hackers.
Community Health Systems (CHS), which operates 206 hospitals across the United States, announced recently that hackers recently broke into its computers and stole data on 4.5 million patients, including their names, Social Security numbers, physical addresses, birthdays, and telephone numbers. The breach affected all patients who received treatment from a physician’s office tied to a network-owned hospital in the last five years and even those who only were referred there by an outside doctor.
The breach is the largest healthcare data loss to date related to hacking, and it takes the number two spot on the Health and Human Services "Wall of Shame" tracking healthcare data breaches affecting more than 500 people. (For more on the Wall of Shame, see the story on p. 105.)
Not all the news is bad
In one bit of good news, the hackers did not access information related to patients’ medical histories, clinical operations, or credit cards. The lost personal information, however, is protected by the Health Insurance Portability and Accountability Act (HIPAA). At least in theory, state attorneys general could sue CHS for damages. Patients also could sue the hospital network for negligence, if state law allows that action.
CHS has hospitals in 28 states, with most being in Alabama, Florida, Mississippi, Oklahoma, Pennsylvania, Tennessee, and Texas. Computer security professionals hired by CHS determined the hackers were in China and used high-end, sophisticated malware to launch the attacks, the health system reported.
The hospital network’s announcement noted that it had removed the hackers’ malware from its computer systems and implemented protections to prevent similar break-ins. In addition, CHS is offering fraud protection services to all the affected patients. (See the story on p. 105 for more on CHS’s investigation.)
The consultants and the FBI told hospital officials that the hackers previously were known for corporate espionage and targeted valuable information about medical devices. The FBI said it is committing serious resources to tracing the hackers. The huge breach prompted the FBI to warn healthcare organizations that hackers are targeting them. (See the story below for more on the FBI warning.)
After CHS announced the breach, it tried to address concerns about the financial effect. In a filing with the Securities and Exchange Commission (SEC), CHS stated that it "carries cyber/privacy liability insurance to protect it against certain losses related to matters of this nature."
This data breach is noteworthy because of its enormity, says R. Stephen Trosty, JD, MHA, CPHRM, president of Risk Management Consulting in Haslett, MI, and a past president of the American Society for Healthcare Risk Management (ASHRM) in Chicago. "You might say that the difference between other computer hacking and hacking hospital data is the number of files obtained and the amount of data for each patient," Trosty says. "However, I am not sure that there is anything that can be done to completely protect against this as long as there are clever, determined hackers who are determined to obtain the information."
The case is interesting because the scope seems to be far greater than other data breaches, and it also involves hospitals throughout the country, Trosty says.
The CHS experience should prompt risk managers to be certain that their hospital or system has the best possible firewalls, encryption, and use of passwords that are possible, Trosty says. "It is important that all hospitals take this threat seriously and have competent, educated people who establish, update, and enhance all data protections. It is important that this be regularly reviewed to be certain that it is meeting the most stringent possible criteria," he says. "It also is important to try to install protections that are best able to detect potential bugs."
Risk managers also should look at the firewall, encryption, and password protections that exist for data that is transferred from physician office practices and clinics to the hospital and any data that might then be transferred back to physician offices and clinics, Trosty advises. It is not enough to only look at data that is generated by the hospital.
There also should be an effort made to ensure that hospital-based and hospital-owned physician practices and clinics have installed the necessary protections within their own data systems, he says. The protections should exist internally within these entities (physician office practices and clinics), as well as between the hospital and the entities.
"It also is important that if a breach is discovered, immediate action is taken to correct the breach and install software that will prevent this type of breach from happening again," Trosty says. "The hospital must take corrective action relative to the breach and type of breach that has occurred. At the same time, there needs to be timely notification of patients whose data has been compromised."
R. Stephen Trosty, JD, MHA, ARM, CPHRM, President, Risk Management Consulting, Haslett, MI. Telephone: (517) 339-4972. Email: [email protected].
