Lutheran Health Network’s parent company Monday revealed that 4.5 million patient names, birthdates and Social Security numbers have been stolen – possibly by cyber-criminals in China.
Community Health Systems Inc. reported in a filing to the Securities and Exchange Commission that the information was stolen in April and June. The theft was confirmed by the company in July.
The cyberattack against Community Health involved highly sophisticated malware and technology used to infiltrate the company’s computer network, officials said.
Community Health officials removed the malware and took additional steps to prevent similar security breaches in the future, the filing said. The Franklin, Tennessee, company alerted law enforcement officials and hired an outside information technology consulting firm.
Stolen data also included addresses and phone numbers for patients of doctors affiliated with Community Health. Credit card and medical information was not taken, officials said.
The parent company operates 206 hospitals – plus urgent care centers and doctors’ offices – in 29 states.
Anyone who has seen – or been referred to – a doctor working under the Lutheran Medical Group umbrella during the past five years is potentially vulnerable in the attack. Community Health is notifying those patients affected by the data breach and offering identity theft protection services to them.
Data breaches are becoming increasingly common, leading some IT professionals to advise firms that it’s a question of when – not whether – they will be hacked, too.
Target, the Minneapolis discount retailer, last year suffered a data theft that put the payment information for 40 million customers in the hands of identify thieves.
The company’s CEO and executive in charge of technology resigned in the aftermath.
The SEC in recent months has launched investigations of numerous companies to find out whether they properly handled and reported cyberattacks, Bloomberg News reported last month.
As Community Health noted in its SEC filing, federal and state laws require companies to notify customers and regulatory authorities if that company discovers it’s been hacked.
Monday’s revelation followed an announcement earlier this month from the Justice Department that Community Health agreed to pay more than $98 million to settle allegations that the hospital chain was systematically overcharging the federal government for patient treatment.
The federal investigation included looking to allegations from a whistleblower lawsuit filed more than five years ago by Nancy Reuille, who worked in Lutheran Hospital’s billing department from 1985 to 2008.
The company denied any wrongdoing.
Community Health officials advised the SEC in their data breach filing that they don’t expect the loss will significantly affect the company’s operations or financial performance. Wall Street must have been listening.
Community Health shares, which are traded on the New York Stock Exchange, increased 66 cents to close Monday at $51.66.