Overseas Hackers Suspected In Second-Largest HIPAA Breach In History Affecting 4.5 Million Patients

by Leonardo M. Tamburello

In its most recent SEC 8-K Filing dated August 18, 2014, Community Health Systems, Inc., (CHS), which operates over 206 hospitals in twenty-nine states, announced that an “Advanced Persistent Threat,” group originating from China used “highly sophisticated malware and technology” to infiltrate its computer systems “and successfully copy and transfer certain data” in the form of “non-medical patient identification data” including  names, addresses, birthdates, telephone numbers and social security numbers affecting 4.5 million individuals who were patients at CHS in the last five years.   This represents the second-largest breach of PHI in HIPAA history to date.

According to CHS, no credit card, medical or clinical information was compromised.    CHS has said that it has appropriately reported this incident in accordance with federal and state law, that it will be offering free credit monitoring to affected individuals, and that it possesses sufficient cyber/privacy liability insurance to address some of the losses related to remediation expenses, regulatory inquiries, litigation and other liabilities.

According to media reports, the intruders exploited the so-called Heartbleed flaw which allows the undetectable bypassing of virtually all security protections and permits the retrieval of sensitive data residing in the memory of computers or servers running certain software.  This permits intruders to “eavesdrop” and obtain passwords, banking credentials, and other sensitive data.  Heartbleed was first publicly revealed, along with a patch to fix it, by security researchers on April 7, 2014.

If this loss is the result of Heartbleed, it would represent the first known breach attributable to it.  Given the size of the breach, OCR will almost certainly investigate and examine whether CHS’s risk assessment and risk management programs were sufficient.  Since a patch was available on the date that the vulnerability was publicly announced, the investigation will likely focus on whether CHS should have updated its servers in a timelier manner between the time of Heartbleed’s revelation on April 7, 2014 and the attacks which occurred in April and June of 2014.  Fortunately for CHS and the individuals affected, CHS appears to have planned in advance for a breach, as evidenced by the presence of cyber/privacy insurance.