Hospital operator Community Health Systems said a cyberattack took information on 4.5 million patients from its computer network earlier this year.
The theft includes information from CHS’ Rockwood Health System in Spokane, which is made up of Rockwood Clinic, Deaconess Hospital and Valley Hospital, a spokeswoman said Monday.
The Franklin, Tennessee, company said Monday that the attack took place in April and June. Patient names, addresses, birthdates, and phone and Social Security numbers were stolen, although the thieves did not take medical or credit card records. CHS said in a filing with the U.S. Securities and Exchange Commission that the company believes the attack came from a group in China that used sophisticated malware and technology to get the information. Federal authorities believe the hackers were after valuable intellectual property, such as medical device and equipment development data, the company said.
Patients seen at or referred to CHS health care facilities in the last five years are at risk, the filing said.
CHS bought Spokane-based Empire Health Services, parent company of Deaconess and Valley hospitals, in 2008 and Rockwood Clinic in 2010.
CHS owns, leases or operates 206 hospitals in 29 states.
The company has removed the malware from its system and finalized “other remediation efforts” to prevent future attacks, it said in its regulatory filing.
Jill Fix, spokeswoman for Rockwood Health System, said, “We take very seriously the security and confidentiality of private patient information and we sincerely regret any concern or inconvenience this event may cause for our patients. Though we have no reason to believe that this data would ever be used, all affected patients are being notified by letter and offered free identity theft protection.”
The attack follows other high-profile data security problems that have hit retailers like Target Corp. and the e-commerce site eBay. Last year, hackers stole from Target about 40 million debit and credit card numbers and personal information for 70 million people.
Fix said in a prepared statement, “Many American companies and organizations have been victimized by foreign-based cyber intrusions. It is up to the federal government to create a national cyber defense that can prevent this type of criminal invasion from happening in the future.”