The company that owns Barrow Regional Medical Center announced this week that five hospitals in Georgia were the target of an external criminal cyber-attack in April and June 2014. The data taken includes patients' names, addresses, birthdates, social security numbers, and, in some cases, telephone numbers, and the names of employers or guarantors. The company says that to the best of its knowledge, no credit card information was taken and no medical or clinical information was taken.
Community Health Systems Professional Services Corporation (“CHSPSC”) owns 206 hospitals in 29 states nationwide and all have been affected by the cyber-breach. Aside from Barrow Regional Medical Center, the other hospitals in Georgia that were affected are Clearview Regional Medical Center, East Georgia Regional Medical Center, Fannin Reigonal Hospital and Trintiy Hospital of Augusta.
In July 2014, CHSPSC confirmed its computer network was the target of an external criminal Tennessee company, provides management, consulting, and information technology services to certain clinics and hospital-based physicians in this area. CHSPSC believes the attacker was an “Advanced Persistent Threat” group originating from China, which used highly sophisticated malware technology to attack CHSPSC's systems.
The intruder was able to bypass the company's security measures and successfully copy and transfer some data existing on CHSPSC's systems. Since first discovering the attack, CHSPSC has worked closely with federal law enforcement authorities in connection with their investigation of the matter. CHSPSC also engaged an outside forensic expert to conduct a thorough investigation and remediation of this incident. CHSPSC has implemented efforts designed to protect against future intrusions. These efforts include implementing additional audit and surveillance technology to detect unauthorized intrusions, adopting advanced encryption technologies, and requiring users to change their access passwords. The majority of patients of clinics and hospital-based physicians affiliated with CHSPSC were not affected by this breach. Individuals whose information was taken in this cyber-attack will be mailed a letter informing them about the data breach and how to enroll in free identity theft protection and credit monitoring services.
The company is recommending that you remain vigilant for incidents of fraud and identity theft by reviewing your credit report and accounts for unauthorized activity. Anyone with questions or concerns about this cyber-attack may contact 1-855-205-6951 toll-free beginning Wednesday, Aug. 20, 2014, at 8:00 a.m. central time. For information on preventing identity theft or to report suspicious activity, contact the Federal Trade Commission at 1-877-438-4338 or get free information at www.ftc.gov.