Community Health Systems hack compromises info for 4.5 million patients

Personal information for about 4.5 million patients of Franklin, Tennessee-based Community Health Systems--which operates 206 hospitals in 29 states--was compromised in April and June when hackers gained access to its computer network.

The data included patient names, addresses, birth dates and Social Security numbers, according to a Wall Street Journal article. The data did not include medical or credit card information.

CHS, in an Aug. 18 filing with the U.S. Securities and Exchange Commission, said they believe the attack was the work of a group originating in China. The hackers were able to bypass the health system's security measures to copy and transfer data outside of the company.

This breach is just one of many to take place in recent months--with analysis showing that healthcare organizations' networks are being compromised at an "alarming" frequency, according to a report by The SANS Institute.

Patients impacted by the breach were referred for or received services from company-affiliated physicians over the last five years, according to WSJ.

Security of information in healthcare is a constant source of concern and the industry lags far behind others when it comes to protection of patient information.

The industry saw the largest growth in security incidents from April 2013 to March 2014, according to a report from security rating firm BitSight Technology. And, for hospital CIOs, one of their biggest concerns for 2014 is security.

Community Health wrote in the SEC filing that it "does not believe this incident will have a material adverse effect on its business or financial results."

However, data breaches are having an impact on patient trust of electronic systems. A study in the Journal of the American Medical Informatics Association found that patients of providers that use electronic health records may be more likely to clam up when it comes to providing information for fear the data won't be secure.

To learn more:
- read the WSJ article (registration required)
- read the SEC filing (.pdf)