Chinese Hackers Collected 4.5 Million American Patients’ Private Health Data

CREDIT: AP Photo/Andy Wong

A Chinese cyberattack has compromised the personal data of 4.5 million hospital patients, according to a filing that Tennessee-based hospital operator Community Health Systems submitted to the U.S. Securities and Exchange Commission earlier this week.

Community Health Systems, which operates more than 200 hospitals in 26 states, announced that Chinese hackers infiltrated its network between April and June, swiping the names, Social Security numbers, addresses, birth dates, and telephone numbers of patients referred to or treated by doctors affiliated with the company within the last five years.

An investigation by Mandiant, a cybersecurity company hired by Community Health Systems, implicated advanced Chinese cybertheft group APT 18 — most known for stealing information related to medical devices and development data — as the culprit. The cyberattack, which is the largest breach of its kind recorded by the U.S. Department of Health and Human Services (HHS) since data collection started in 2009, has prompted an FBI investigation.

Investigators aren’t yet sure why APT 18 targeted the community hospital system. Security experts say it’s unusual for hackers who mainly focus on corporate data to turn their attention to patients’ personal information.

But it’s not the first time the Chinese have been implicated as a threat to the national data infrastructure. A 2009 congressional advisory report declared China as the “single greatest risk to the security of American technologies.” In that document, U.S. officials alleged that Chinese hackers have launched attacks against weak security systems from a remote location by sending emails with malicious software attached. Upon infiltrating data systems, hackers stole important files, monitored user activity, and even read emails, the report said.

U.S. officials’ fears may came to fruition the following year. In 2010, Google reported attacks on its corporate system that originated from a group with ties to the People’s Liberation Army in China. The attack, known as Operation Aurora, affected more than 30 companies and prompted an internal review of Google’s relationship with China.

The cyberattacks did not stop. Throughout much of 2011 and 2012, Chinese hackers infiltrated the corporate networks of three major Israeli defense technology firms. According to Reuters, hackers collected data about Arrow III missiles, unmanned Aerial Vehicles, ballistic rockets, and technical documents. Intelligence officials suggested that Chinese hackers wanted information about the Iron Dome, Israel’s mobile all-weather air defense system. This July, Chinese hackers launched cyberattacks on Taiwanese data systems. Canadian officials also recently accused Chinese hackers of breaking into the database of the National Research Council, the country’s largest leading research organization.

Security experts say that breaches of health data have become more commonplace in recent years, due in part to the digitization of medical records. According to data compiled by HHS, more than six million Americans — including those affiliated with Community Health Services — have had their data compromised in 2014. For now, Community Health Services has taken measures to protect patients including an increase in computer defenses, identity theft protection for those affected, and cyber insurance.