The largest HIPAA compliance breach of 2014 has just been reported by Community Health Systems (CHS) following a security incident in which hackers managed to gain access to a database of 4.5 million of the healthcare provider’s patient records.
Community Health Systems is a large healthcare system comprising of 206 hospitals with a presence in 29 states. The largest HIPAA breach of 2014 affects individuals who have visited one of its hospitals for medical services during the past five years. The data that was obtained by the thieves includes patient names, Social Security numbers and contact telephone numbers as well as the name of their treating physician(s).
This material is classified as Protected Health Information (PHI), and combined with the personal identifiers also obtained by the thieves makes this the largest HIPAA breach of 2014, and second only behind the Tricare data breach of 2011. It ranks as the largest hacking incident to affect the healthcare industry, as the Tricare breach was caused by the improper disposal of records.
Questions are now being asked about the defenses CHS had in place to protect its networks, and how hackers managed to break through and obtain such large volumes of PHI. According to a Securities and Exchange Commission filing made by CHS on August 18, 2014, the attack was of a “highly sophisticated” nature.
CHS has managed to establish that hackers had accessed the computer systems on two occasions this year. Hackers first gained access in April, then again in June, but the incidents went undetected until July of this year. Whether it was the intention of the hackers to break in to the network to steal PH is not known; however the preliminary investigations conducted by CHS show that the attack appeared to have been conducted by a group of Chinese hackers.
While this does rate as the biggest HIPAA data breach of 2014, fortunately medical information – apart from doctor’s names – was not obtained by the thieves, and neither was medical insurance information nor claim numbers. The breach could have been considerably worse. However since Social Security numbers were obtained, the victims will face a high risk of fraud using their personal information.
The data held by healthcare providers is highly valuable as it can be used to commit multiple crimes. In addition to monetary theft or goods and services that can be fraudulently obtained by criminals with financial information, Social Security numbers can be used to file false tax claims, steal identities and fraudulently obtain medical services.
As a result of the risk of damage and loss, covered entities are required to take prompt action to mitigate any damage caused. This includes providing the victims with credit monitoring services. Breach notification letters must also be sent within 60 days of the discovery of the breach; the incident must be reported to the media; and actions taken to ensure that similar incidents are prevented in the future.
Investigations continue at CHS to determine the exact nature of the attack and how the thieves gained access to its systems, although the healthcare provide does believe its servers have now been secured.