Owner of Commonwealth Health says Data for 4.5 Million Patients Hacked
FRANKLIN, TENN — Community Health Systems, the owner of Commonwealth Health in Northeastern Pennsylvania announced Monday that it was the target of a cyber attack affecting millions of patients’ data.
In a filing with the U. S. Security and Exchange Commission, one of the largest owners of hospitals in the United States reported that it believes the hacking happened in April and June of this year. Investigators for CHS believe a group from China is responsible for the attack, using sophisticated technology.
Community Health Systems’ filing reported that the theft was believed to target valuable intellectual property such as medical and equipment data, but it is also believed that non-medical patient identification information was taken from the files of 4.5 million individuals. It impacts patients from the last 5 years who received services from physicians affiliated with the company. That includes many doctors in Northeastern Pennsylvania.
Commonwealth Health owns Moses Taylor and Regional Hospital of Scranton in Scranton, Wilkes-Barre General Hospital, Tyler Memorial Hospital near Tunkhannock and First Hospital in Kingston.
Community Health Systems also owns Sunbury Community Hospital and Lock Haven Hospital in Central Pennsylvania.
In its SEC filing, the company said that the data stolen does not include medical or credit card information for patients, but does include their names, addresses, birth dates, phone numbers and Social Security numbers. Community Health Systems says affected patients will be notified.
Commonweath Health released the following statement on the attack:
“The attack does not involve Commonwealth Health-affiliated hospital-specific data, Physicians Health Alliance, Great Valley Cardiology or InterMountain Medical Group practices.
Limited personal identification data belonging to some patients who were seen at the Berwick Medical Professionals practices, Wilkes-Barre Academic Medicine Clinic, Wyoming Valley Surgical Associates, Wilkes-Barre Neurosurgical Associates, Scranton Clinic Company and Wilkes-Barre Clinic Company over the past five years was transferred out of our organization in a criminal cyber attack by a foreign-based intruder. The transferred information did not include any medical information or credit card information, but it did include names, addresses, birthdates, telephone numbers and Social Security numbers.
Patients who have been affected will receive a letter from their physician’s office. A toll-free number (1-855-205-6951) has been set up to answer patients’ questions.
We take very seriously the security and confidentiality of private patient information and we sincerely regret any concern or inconvenience this event may cause our patients. Though we have no reason to believe that this data would ever be used, all affected patients are being notified by letter and offered free identity theft protection.
Our organization believes the intruder was a foreign-based group out of China that was likely looking for intellectual property. The intruder used highly sophisticated methods to bypass security systems. The intruder has been eradicated and applications have been deployed to protect against future attacks. We are working with federal law enforcement authorities in their investigation and will support prosecution of those responsible for this attack.”
Renita Fennick | Director of Communications | Commonwealth Health