Data Breach Notification - August 20, 2014
We want to express sincere regret to the patients of affiliated physician practices and clinics whose data was accessed in a foreign-based cyber-attack of our computer network. We value the trust you have placed in us for your care and it is our priority to ensure those who were affected by this attack are notified about the breach and have their questions answered. If you were affected by the data breach, you will receive a letter with more information and a toll-free number to call to learn about the free identity theft protection offered to affected patients. The following notice contains more details about the breach, measures we are taking to notify you, and how we are improving the way we protect health your information.
In July 2014, Community Health Systems Professional Services Corporation (“CHSPSC”) confirmed its computer network was the target of an external criminal cyber-attack in April and June 2014. CHSPSC, a Tennessee company, provides management, consulting, and information technology services to certain clinics and hospital-based physicians in this area.
CHSPSC believes the attacker was an “Advanced Persistent Threat” group originating from China, which used highly sophisticated malware technology to attack CHSPSC’s systems. The intruder was able to bypass the company’s security measures and successfully copy and transfer some data existing on CHSPSC’s systems.
Since first discovering the attack, CHSPSC has worked closely with federal law enforcement authorities in connection with their investigation of the matter. CHSPSC also engaged an outside forensic expert to conduct a thorough investigation and remediation of this incident. CHSPSC has implemented efforts designed to protect against future intrusions. These efforts include implementing additional audit and surveillance technology to detect unauthorized intrusions, adopting advanced encryption technologies, and requiring users to change their access passwords.
The majority of patients of clinics and hospital-based physicians affiliated with CHSPSC were not affected by this breach. Individuals whose information was taken in this cyber-attack will be mailed a letter informing them about the data breach and how to enroll in free identity theft protection and credit monitoring services. The data taken includes patients’ names, addresses, birthdates, social security numbers, and, in some cases, telephone numbers, and the names of employers or guarantors. However, to the best of CHSPSC’s knowledge, NO credit card information was taken and NO medical or clinical information was taken. CHSPSC recommends that you remain vigilant for incidents of fraud and identity theft by reviewing your credit report and accounts for unauthorized activity.
Anyone with questions or concerns about this cyber-attack may contact 1-855-205-6951 toll-free beginning Wednesday, August 20, 2014, at 8:00 a.m. central time. For information on preventing identity theft or to report suspicious activity, contact the Federal Trade Commission at 1-877-438-4338 or get free information at www.ftc.gov.