In July 2014, Community Health Systems, Inc. confirmed that its computer network was the target of an external, criminal cyber attack that the company believes occurred in April and June, 2014. The news was released Monday in a filing with the Securities and Exchange Commission. The company operates six hospitals in New Mexico, including MountainView Medical Center in Las Cruces and Mimbres Memorial Hospital in Deming. Patient data, including social security numbers, is believed to be at risk, according to the SEC filing.
The company said in the filing that it believes the attacker was an “Advanced Persistent Threat” group originating from China who used highly sophisticated malware and technology in the attack. The filing states the data transferred was non-medical patient identification data of approximately 4.5 million individuals who, in the last five years, were referred for or received services from physicians affiliated with the company. The Company has confirmed that this data did not include patient credit card, medical or clinical information; the data is, however, considered protected under the Health Insurance Portability and Accountability Act (“HIPAA”) because it includes patient names, addresses, birth dates, telephone numbers and social security numbers.
The company states it is providing appropriate notification to affected patients and regulatory agencies as required by federal and state law. The company will also be offering identity theft protection services to individuals affected by this attack. The firm carries cyber/privacy liability insurance to protect it against certain losses related to matters of this nature. While this matter may result in remediation expenses, regulatory inquiries, litigation and other liabilities, at this time, the company states it does not believe this incident will have a material adverse effect on its business or financial results.