Stolen Health Data Threatens Pennsylvanians/Others With Identity Theft

Chinese Hackers implicated

Monday August 18 CNN Money reported Community Health Systems, headquartered in Franklin, Tennessee, announced it’s 206 hospital system, spanning 29 states, had been hacked, exposing critical personal information of 4.5 million patients of its affiliated physicians.  Anyone who used the services of a linked doctor in the past five years, even if never seen at a hospital, is potentially at risk.

Pennsylvania is one of seven states identified as having the most significant presence in the Community Health Systems network, operating 20 hospitals in the Commonwealth.  As a rough estimate, 20 of 206 hospitals is 9.7% of the hospitals in the network.  9.7% of the reported 4.5 million patients suggests about 436,500 Pennsylvanians could be at risk.

It’s reported that the hackers, identified as Chinese, did not get any information related to medical history or credit cards, but information critical to obtaining credit cards and stealing the identities of those at risk, including names, social security numbers, addresses, birthdays, and telephone numbers.  Community Health Systems has said it will be offering identity theft prevention services when it notifies individual patients.

Spokesperson Jason McSherry, representing affiliated and affected Memorial Hospital in York, PA, provided the following statement, shared here in its entirety:

Limited personal identification data belonging to some patients who were seen at physician practices and clinics affiliated with Memorial Hospital over the past five years was transferred out of our organization in a criminal cyber attack by a foreign-based intruder. The transferred information did not include any medical information or credit card information, but it did include names, addresses, birthdates, telephone numbers and social security numbers.

We take very seriously the security and confidentiality of private patient information and we sincerely regret any concern or inconvenience to patients. Though we have no reason to believe that this data would ever be used, all affected patients are being notified by letter and offered free identity theft protection.

Our organization believes the intruder was a foreign-based group out of China that was likely looking for intellectual property. The intruder used highly sophisticated methods to bypass security systems. The intruder has been eradicated and applications have been deployed to protect against future attacks. We are working with federal law enforcement authorities in their investigation and will support prosecution of those responsible for this attack.

Many American companies and organizations have been victimized by foreign-based cyber intrusions. It is up to the Federal Government to create a national cyber defense that can prevent this type of criminal invasion from happening in the future.

In discussion with McSherry, he emphasized that stolen information resided in connected doctors offices rather than the hospitals.  For this reason, he does not think anyone using a hospital directly for emergency or any other reason would be at risk.  The Memorial Hospital website currently lists 267 affiliated physicians.

McSherry also said that not all network hospitals are affected by the breach.  For instance, the affiliated nearby Carlisle Regional Medical Center, although part of the Community Health Centers network, uses a different information system.  He did not know how many different information systems are used by Community Health Centers.

Back to the provided statement, it’s interesting that Community Health Centers looks to the Federal Government to “create a national cyber defense that can prevent this type of criminal invasion from happening in the future”.  There may be some justification to their position, as it’s the Federal Government that’s been dictating so much of what has been happening in medicine.

HIPAA, the 1996 Health Insurance Portability and Accountability Act; ASCA, the 2001 Administrative Simplification Compliance Act; HITECH, the 2009 Health Information Technology for Economic and Clinical Health Act; PPACA, the 2010 Patient Protection and Affordability Act all, along with regulations promulgated under them, address, in various ways, requirements concerning electronic medical records, their use, protection and transmission.  While purported to be money saving measures or patient protections, this maze of imposed regulations, with cost of compliance and threat of substantial penalties, has been driving doctors out of independent practice to hospital employment or out of the profession entirely, while exposing patients to hacking risks, as we’ve seen here.

In addition, can the same Federal Government that runs the Post Office or Veterans Administration really ever do more than stay one step ahead of hackers in protecting us, as the cost of the attempt must be born by all?

Note: This article shared to WatchdogWire-Pennsylvania