Going to the hospital these days seems to prove something of a dangerous exercise. Not only is there the clear physical danger—usually people go requiring some kind of major surgical treatment or the like—but there's also the risk of large quantities of highly-identifiable information being seized as well. Hospitals aren't safe from hackers, as was recently discovered with Community Health Systems, who in turn announced that hackers had slipped into the company's databases and seized data for 4.5 million patients.
The haul was staggering in both its size and its scope. While any data for 4.5 million patients would be bad enough, what all the hackers got on those 4.5 million was even worse. The hackers reportedly managed to land not only names, but also addresses, telephone numbers and birth dates. Worst of all, Social Security numbers were also landed, making for a potential horrorshow of identity theft cases. Just to add insult to injury, the records seized were not strictly recent, either; anyone who has received treatment at a Community Health Systems hospital—and there are 206 such hospitals throughout the United States—in the last five years is at risk. Even anyone just referred to a Community Health Systems hospital in the last five years is likewise at risk.
Naturally, the FBI is involved, as Community Health Systems has a presence in 28 different states, and Community Health Systems itself has hired Mandiant's cybersecurity experts to find out just what went wrong, with all parties involved putting “...significant resources and efforts to target, disrupt, dismantle and arrest the perpetrators.” Though that's likely cold comfort to the patients who lost data in this; reports suggest there's very little the patients can do for protection in the wake of this kind of theft, and as for notification, Community Health Systems reportedly plans to issue notification “as required by federal and state law,” which means a variety of things depending on location.
However, the bright spot here, if it can be called that, is two-fold. One, thanks to the Health Insurance Portability and Accountability Act (HIPAA), patients can sue for damages, and given that the hospital admitted its fault already, that's likely to be a fairly easy win. Two, the company carried liability insurance specifically against this kind of theft, so there's likely to be compensation going around. Already, the company is planning to offer identity theft protection systems at no charge to those impacted by the event.
In a situation like this, it's often quickly asked, what could have been done to prevent this? In this particular case, likely very little; reports suggest the hackers were Chinese, operating with extremely powerful malware that was actually found, and new protections were put in place to protect against such measures in the future, but some of said malware may have been missed during the first sweep, a distinct possibility in any operation helmed by human beings.
Still, it's no excuse for a lack of vigilance, and while Community Health Systems seems to have done nearly everything in its power to protect the data under its care, it still proved to be inadequate in the end. Only time will tell what the end result of all this is, and it's not likely to be a positive end for anyone.
Edited by
Maurice Nagle
