I've Been Mugged Blog

Community Health Systems, Inc. (CHS) announced a data breach that affected 4.5 million patients nationwide. Breach victims are patients who have done business with any CHS hospitals, or whose physicians are associated with CHS hospitals. CHS said in its website that it includes 206 affiliated hospitals in 29 states, with 135,000 employees and 22,000 physicians.

CHS believes the attack, by hackers from China, occurred between April and June of 2014. Sensitive personal data elements stolen included patient names, addresses, birth dates, telephone numbers and social security numbers. This means that breach victims are vulnerable to identity theft and fraud, since the data elements stolen are sufficient for thieves to apply for and/or open fraudulent credit accounts and loans. The only good news was that the breach did not include patients' medical records and payment information (e.g., credit/debit cards).

CHS has notified federal law enforcement agencies and (links added):

"... engaged Mandiant, who has conducted a thorough investigation of this incident and is advising the Company regarding remediation efforts. Immediately prior to the filing of this Report, the Company completed eradication of the malware from its systems and finalized the implementation of other remediation efforts that are designed to protect against future intrusions of this type. The Company has been informed by federal authorities and Mandiant that this intruder has typically sought valuable intellectual property, such as medical device and equipment development data."

CHS is notifying breach victims, and will offer identity theft protection services. The announcement did not specify which, if any, data elements were encrypted. Usually, breach announcements state which items were encrypted. Hopefully, future announcements will provide the necessary details.

I browsed the CHS site Monday afternoon expecting to see a notice on the site about the breach. I didn't see one. May it is there and hidden. For context: after its massive breach, Target provided a notice and link on its home page for affected breach victims to easily access important information. CHS needs to do the same.

What's even more troubling is that the Social Security numbers weren't encrypted by CHS. How do I know this? The HIPAA Breach Notification Rule governs when hospitals must disclose data breaches. It says in part (links and bold text added):

"Covered entities and business associates must only provide the required notifications if the breach involved unsecured protected health information. Unsecured protected health information is protected health information that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in guidance... The guidance... specifies encryption and destruction as the technologies and methodologies for rendering protected health information unusable, unreadable, or indecipherable to unauthorized individuals. Additionally, the guidance also applies to unsecured personal health record identifiable health information under the FTC regulations. Covered entities and business associates, as well as entities regulated by the FTC regulations, that secure information as specified by the guidance are relieved from providing notifications following the breach of such information."

In other words, if CHS had encrypted the information stolen, it probably would not have had to issue a breach notification (and incur the related costs). Since it did issue a breach notification, I conclude the data elements stolen -- especially Social Security numbers -- were not encrypted. Even though credit card data wasn't stolen in the breach, this makes one wonder if this payment information is encrypted. Hopefully, CHS will say more soon about what data is encrypted; and why or why not.

While browsing its website, I learned that CHS confirmed in an August 4 press release that it had:

"... resolved the investigation by the U.S. Department of Justice into short stay admissions through emergency departments at certain affiliated hospitals. The parties have entered into a settlement agreement, which concludes the government’s review into whether these 119 hospitals billed Medicare, Medicaid and TRICARE for certain inpatient admissions from January 2005 to December 2010 that the government believed should have been billed as outpatient or observation cases... Under the terms of the agreement, there is no finding of improper conduct by Community Health Systems or its affiliated hospitals, and the Company has denied any wrongdoing. The Company has agreed to pay $88,257,500 in resolution of all federal government claims, including Medicare, TRICARE and the federal share of the Medicaid claims, and an additional $892,500 to the states for their portions of the Medicaid claims."

To see if your hospital was affected, browse the list of CHS locations by state. Have you received a breach notice from CHS? What are your opinions of the notice? Of the identity theft protection services offered?