Data belonging to millions of Americans has reportedly been stolen by Chinese hackers who infiltrated a database belonging to Community Health, which, with 206 hospitals in 29 states, is one of the largest hospital groups in the United States. The incident, which took place between April and June, was revealed in a regulatory filing published Monday.
Personal information that included names, addresses, birth dates, and phone numbers was taken in the cyber attack, which affected 4.5 million patients. Social Security numbers were also stolen.
However, the taken data didn’t include medical or credit card information, Community Health said.
The hospital group said it had carried out changes to its system to improve security and has been contacting affected patients to inform them of the incident.
It’s reported to be the biggest hack involving medical patients’ personal information since 2009, when records began for incidents of this nature.
Related: Cyber crime said to cost billions each year
Security experts at FireEye’s Mandiant forensics unit – the company investigating the breach – told Reuters it’s possible the attack was carried out by skilled hacking group ‘APT 18,’ which often concentrates its efforts on not only the healthcare industry but also companies involved in sectors such as aerospace and defense, construction and engineering, technology, and financial services.
It’s thought APT 18 may have links with the Chinese government.
It’s not certain why APT 18 may have gone for personal data, as Mandiant said it’s usually more interested in intellectual property like plane blueprints and health device designs.
The Wall Street Journal reported Mandiant’s Charles Carmakal as saying, “We have tracked this group for the past four years and we have never seen them steal this type of information before.”
It added that it may simply be that the group took everything available, with patient records caught up in the hack. Whether the group attempts to do anything with the data – Social Security numbers, for example, could be sold on to those involved in identity theft – remains to be seen.