Chinese Hackers Breach 4.5 Million Health Care Records

Community Health Systems discloses a breach that sources say points to China.


U.S. government and industrial organizations are not the only targets for Chinese hackers—health care companies are also at risk.

Community Health Systems (CHS) disclosed in an 8-K regulatory filing with the U.S. Securities and Exchange Commission (SEC) that its systems were breached in an attack that occurred between April and June 2014. The company that CHS has hired to investigate the breach believes a China-based attacker is responsible for the intrusion.

In its filing, CHS disclosed that its security was bypassed and attackers were able to copy data. "In this instance the data transferred was non-medical patient identification data related to the Company's physician practice operations and affected approximately 4.5 million individuals who, in the last five years, were referred for or received services from physicians affiliated with the Company," CHS' filing states.

According to CHS, credit card data was not included in the information that was breached. CHS has retained FireEye's Mandiant unit to investigate the breach.

Mandiant is no stranger to the world of China-based hackers. In 2013, Mandiant first identified a group within China's People's Liberation Army (PLA) that was actively attacking targets within the United States. More recently, on May 19, the U.S. Justice Department issued an indictment against five Chinese military officers for hacking into American companies.

"Mandiant, a unit of FireEye, believes a China-based attacker was responsible for the CHS intrusion," Charles Carmakal, managing director at Mandiant, told eWEEK. "The attacker is known for employing sophisticated techniques for breaching network defenses."

Carmakal added that over the past six months Mandiant has seen a spike in cyber-attacks on health care providers. That said, he noted that this is the first case Mandiant has seen of a sophisticated Chinese group stealing personal data.

"They normally go after intellectual property instead of personal data," Carmakal said.

Mandiant isn't the only group that has seen China-based attacks. Security firm CrowdStrike has been actively chronicling the activities of multiple groups within China in recent years. On June 9, CrowdStrike revealed details of a Chinese military campaign known as Putter Panda.

"We have seen Chinese nation-state actors target the health care industry in the past for both economic espionage and national security reasons," Dmitri Alperovitch, co-founder and CTO at CrowdStrike, told eWEEK.

Alperovitch noted that he was not surprised by the CHS disclosure, as hospital networks typically are very open and have understaffed security teams.

Lucas Zaichkowsky, Enterprise Defense Architect at AccessData, told eWEEK that he too was not surprised by the disclosure.

"The disclosure is mandatory, so I'd be surprised if they didn't disclose," Zaichkowsky said. "Additionally, it's well-known in the intelligence community that health care is being heavily targeted by Chinese espionage efforts due to their large, aging population."

Zaichkowsky noted that health care improvement is an objective in China's current Five-Year Plan for economic development.

CHS as a medical organization is required to be compliant with the Health Insurance Portability and Accountability Act (HIPAA). HIPAA compliance requires many of the same underlying security controls as other frameworks, such as PCI DSS, which focuses on cardholder data, Christie Grabyan, managing security associate at Bishop Fox, told eWEEK.

"The likelihood of breaches in a particular industry is not going to be influenced as heavily by the compliance requirements, but more so by the security maturity of the industry and the starting point of the organizations seeking compliance," Grabyan said. "Technical debt in terms of legacy systems, budget constraints and end-user behaviors all contribute to the effectiveness of compliance implementation."

Zaichkowsky noted that the likelihood of an organization suffering a data breach depends more on what active threat actors are pursuing.

"If an organization has access to data sought after by a determined and skilled adversary, [that organization has] an extremely high likelihood of being breached regardless of regulatory compliance requirements," Zaichkowsky said. "There are bad guys out there that should be feared much more than an auditor."

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.