CHS: Data breach affected practices affiliated with Memorial Hospital
Physician practices affiliated with Memorial Hospital of York were affected by a data breach at the hospital's parent company, a company spokeswoman confirmed this morning.
"The data breach affected records from the physician practices, not the hospital," said Tomi Galin, vice president of corporate communications for Tennessee-based Community Health Systems Inc. "We will be notifying all affected patients and offering free identity theft protection."
Lancaster Regional Medical Center spokeswoman Danielle Gilmore said in an email Monday that the facility and the two other CHS facilities in the region — Heart of Lancaster Regional Medical Center and Carlisle Regional Medical Center — and their affiliated practices were not affected by the breach.
CHS announced the attack in a regulatory filing yesterday, saying the company believes it happened in April and June of this year and was confirmed in July. The attack appears to have come from an "'Advanced Persistent Threat' group originating from China" that has typically sought valuable intellectual property, such as medical device and equipment development data.
In this case, however, CHS said the attacker was able to bypass CHS security measures and got nonmedical patient identification data related to the company’s physician practice operations, affecting 4.5 million people who were referred for or received services from physicians affiliated with the company in the last five years.
The data did not include patient credit card, medical or clinical information, CHS said, but is considered protected under the Health Insurance Portability and Accountability Act because it includes patient names, addresses, birth dates, telephone numbers and Social Security numbers.
CHS also said it engaged forensic expert Mandiant, a FireEye company, and "has worked closely with federal law enforcement authorities in connection with their investigation and possible prosecution of those determined to be responsible for this attack."
CHS is a for-profit firm and the nation’s largest operator of acute care hospitals. It acquired Memorial Hospital in 2012. The other three hospitals were formerly part of Health Management Associates Inc., which CHS acquired in January of this year.