Hospital operator Community Health Systems said a cyberattack took information on 4.5 million patients from its computer network earlier this year.
The theft includes information from CHS’s Rockwood Health System in Spokane, which is made up of Rockwood Clinic, Deaconess Hospital and Valley Hospital, a spokeswoman said Monday.
The Franklin, Tennessee, company said Monday that the attack took place in April and June. Patient names, addresses, birthdates and phone and Social Security numbers were stolen, although the thieves did not take medical or credit card records. CHS said in a filing with the U.S. Securities and Exchange Commission that the company believes the attack came from a group in China that used sophisticated malware and technology to get the information. Federal authorities believe the hackers were after valuable intellectual property, such as medical device and equipment development data, the company said.
Patients seen or referred in the last five years at CHS health care facilities are at risk, the filing said.
CHS bought Spokane-based Empire Health Services, parent company of Deaconess and Valley hospitals, in 2008 and Rockwood Clinic in 2010.
CHS owns, leases or operates 206 hospitals in 29 states.
The company has removed the malware from its system and finalized “other remediation efforts” to prevent future attacks, it said in its regulatory filing.
Jill Fix, spokeswoman for Rockwood Health System, said, “We take very seriously the security and confidentiality of private patient information and we sincerely regret any concern or inconvenience this event may cause for our patients. Though we have no reason to believe that this data would ever be used, all affected patients are being notified by letter and offered free identity theft protection.”
The attack follows other high-profile data security problems that have hit retailers like the e-commerce site eBay and Target Corp. Last year, hackers stole from Target about 40 million debit and credit card numbers and personal information for 70 million people.
Said Fix in a prepared statement, “Many American companies and organizations have been victimized by foreign-based cyber intrusions. It is up to the federal government to create a national cyber defense that can prevent this type of criminal invasion from happening in the future.”