Patient info stolen from CHS computers

WARREN – A cyber attack that struck the parent company of several local hospitals and health care facilities included Social Security numbers and other personal information of local patients, hospital officials confirmed Monday.

Health care giant Community Health Systems, which owns or operates 206 hospitals nationwide, including locally based ValleyCare Health System of Ohio, said a cyberattack took information on about 4.5 million patients from its computer network in April and June.

The Tennessee-based publicly traded company on Monday released the information in a filing with the federal Securities and Exchange Commission. In the filing, Community Health Systems, or CHS, said its computer network was the target of an “external, criminal cyber attack” by what is believed to be an “advanced persistent threat group originating from China who used highly sophisticated malware and technology to attack the company’s systems.”

ValleyCare spokeswoman Trish Hrina on Monday confirmed personal identification of some local patients who have been seen in the last five years at associated physician practices and clinics was among the information that was electronically stolen. Hrina did not say how many local patients were affected.

ValleyCare operates Trumbull Memorial Hospital in Warren, Northside Medical Center in Youngstown, Hillside Rehabilitation Center in Howland and many other ancillary facilities and physician offices.

The transferred information included names, addresses, birthdates, telephone numbers and social security numbers.

It did not, however, include any medical information or credit card information, both Hrina and the SEC filing noted.

All affected patients are being notified by letter and offered free identity theft protection, Hrina said. “We take very seriously the security and confidentiality of private patient information, and we sincerely regret any concern or inconvenience to patients,” Hrina said in a prepared statement.

CHS said the attack bypassed its security systems. Community Health has since removed the malware from its system and finalized “other remediation efforts” to prevent future attacks.

The SEC filing also indicated that CHS carries cyber/privacy liability insurance to protect it against certain losses related to matters of this nature, and CHS executives do not believe the incident will have a “material adverse effect on its business or financial results.”

Shares of Community Health climbed 66 cents in trading Monday to close at $51.66.

The attack follows other high-profile data security problems that have hit retailers like the e-commerce site eBay and retailer Target Corp. Last year, hackers stole from Target about 40 million debit and credit card numbers and personal information for 70 million people.