Chinese hackers attack US hospital, stealing 4.5 million patients' records

Personal information stolen - but credit card and medical data remained untouched, US company says

PUBLISHED : Tuesday, 19 August, 2014, 11:26am
UPDATED : Tuesday, 19 August, 2014, 11:26am

Chinese hackers allegedly attacked one of America’s biggest hospital groups, stealing personal data belonging to 4.5 million patients – making it the largest such breach since tracking started five years ago.

Community Health Systems (CHS), which operates 206 hospitals across the Unites States, said the hackers infiltrated their systems in April and June this year using “highly sophisticated malware and technology” to bypass its data security protection.

Maybe they were trying to get at the medical data, but for some reason they couldn’t
Dmitri Alperovitch, cybersecurity officer

Information such as patient names, addresses, birth dates, telephone numbers and Social Security numbers of people who were referred or received services from CHS-affiliated doctors in the last five years.

Medical information, intellectual property information or any credit card data were untouched, it said.

An investigator said the attackers appeared to be from a sophisticated hacking group in China that had breached other major US companies across several industries.

“They have fairly advanced techniques for breaking into organisations as well as maintaining access for fairly long periods of time without getting detected,” said Charles Carmakal, managing director with FireEye Inc’s Mandiant forensics unit, which led the investigation of the attack.

Working with security experts, CHS said it discovered information that the attackers were a group originating from China which works steadily to gain access to a target’s systems to steal data rather than cause damage to the systems.

Carmakal and CHS officials declined to name the group or say if it was linked to the Chinese government, which US businesses and officials have long accused of orchestrating cyber-espionage campaigns around the globe.

The Department of Homeland Security said it believed the incident was isolated to Community Health Systems, although it shared technical details about the attack with other health care providers.

A department official told Reuters it was too soon to confirm who was behind the attack.

“While attribution of this incident is still being determined by a range of partners, we caution against leaping to premature conclusions about who or how many actors are behind these activities,” said the official, who was not authorised to discuss the investigation publicly.

Social Security numbers and other personal data are typically stolen by cybercriminals to sell on underground exchanges for use by others in identity theft.

CHS said it removed malicious software used by the attackers from its systems and completed other “remediation steps”. It is now notifying patients and regulatory agencies, as required by law.

CHS said it would offer affected patients identity-theft protection services.

The scope of those victimised would make this the largest cyber attack of its type involving patient information since a US Department of Health and Human Services website started tracking such breaches in 2009.

The previous record, an attack on a Montana Department of Public Health server, was disclosed in June and affected about 1 million people.

In May, a US grand jury indicted five Chinese military officers on charges they hacked into US companies for sensitive manufacturing secrets, the toughest action to date taken by Washington to address cyberspying. China has denied the charges. FBI spokesman Joshua Campbell said his agency was investigating the case, but declined to elabourate.

Cybersecurity has come under increased scrutiny at health care providers this year, both by law enforcement and attackers.

The FBI warned the industry in April that its protections were lax compared with other sectors, making it vulnerable to hackers looking for details that could be used to access bank accounts or obtain prescriptions.

Over the past six months, security firm Mandiant has seen a spike in cyberattacks on health care providers, although this was the first case it had seen in which a sophisticated Chinese group has stolen personal data, according to Carmakal.

Chinese hacking groups are known for seeking out intellectual property such as product design or information that might be of use in business or political negotiations.

“It’s hard to tell why these guys took the data or what they plan to do with it,” said Carmakal, whose firm monitors about 20 hacking groups in China.

Dmitri Alperovitch, chief technology officer with cybersecurity firm CrowdStrike, said Chinese hackers sometimes attack health care providers to obtain medical records of government officials and even potential intelligence assets.

“Maybe they were trying to get at the medical data, but for some reason they couldn’t, so they exfiltrated everything else, figuring that it might somehow be helpful,” Alperovitch said.