An American hospital operator claimed its systems were compromised by Chinese hackers, resulting in 4.5 million patient records being accessed, along with social security numbers, sparking fears of mass identity fraud.
Community Health Systems (CHS) which operates over two hundred hospitals throughout the United States disclosed the hack this week, saying it believes the attack took place in April and June this year.
In a filing to with the financial regulator the United States Securities and Exchange Commission (SEC), the listed hospital operator said it worked with FireEye-owned security consultants Mandiant and American federal police to investigate what it says was an Advanced Persistent Threat (APT) attack, orginating in China.
According to Mandiant, highly sophisticated malware was used in the attack that succeeded in bypassing CHS's security measures.
The data copied by the attackers spanned the last five years and represented millions of individual patients who were referred to the hospital to receive care.
The purloined data included patients' names, their addresses, birth dates, phone numbers and United States social security numbers (SSNs).
US authorities have warned [pdf] that captured SSNs can be used by criminals in identity fraud.
SSNs are used to identify Americans to local and federal government services, including the Internal Revenue Service tax authorities.
While millions of SSNs were taken, CHS said no patient credit card data was accessed, or medical and clinical information.
CHS said in the SEC filing that it has notified the appropriate authorities and will offer identity theft protection services to the people affected by the hack.