One Million Patients' Information Stolen in CHS Cyberattack

One Million Patients’ Information Stolen in CHS Cyberattack

Written by Edward Gately
February 18, 2023

Community Health Systems (CHS), one of the nation’s largest health care companies, has reported a cyberattack in which the attacker stole 1 million patients’ data.

Based in Tennessee, CHS has nearly 80 hospitals in 16 states. It reported the cyberattack in a filing with the U.S. Securities and Exchange Commission (SEC).

Fortra, a CHS third-party vendor, notified the health care company that it had experienced a security incident that resulted in the unauthorized disclosure of company data.

“Fortra is a cybersecurity firm that contracts with company affiliates to provide a secure file transfer software called GoAnywhere,” CHS said. “As a result of the security breach experienced by Fortra, protected health information (PHI), as defined by the Health Insurance Portability and Accountability Act (HIPAA) and personal information (PI) of certain patients of the company’s affiliates were exposed by Fortra’s attacker.”

Upon receiving notification of the security breach, CHS launched an investigation, including to determine whether any company information systems were affected, whether there was any impact to ongoing operations, and to what extent PHI or PI had been unlawfully accessed by the attacker.

“While that investigation is still ongoing, (CHS) believes that the Fortra breach has not had any impact on any of the company’s information systems and that there has not been any material interruption of the company’s business operations, including the delivery of patient care,” CHS said. “With regard to the PHI and PI compromised by the Fortra breach, the company currently estimates that approximately 1 million individuals may have been affected by this attack.”

CHS said it will ensure that appropriate notification is provided to any individuals affected by this attack, as well as to regulatory agencies as required by federal and state law. It also will be offering identity theft protection services to individuals affected by this attack.

CHS carries cyber/privacy liability insurance to protect it against certain losses related to matters of this nature. However, it may have incurred, and may incur in the future, expenses and losses related to this attack that are not covered by insurance.

“While the company is continuing to measure the impact, including certain remediation expenses and other potential liabilities, the company does not currently believe this incident will have a material adverse effect on its business, operations or financial results,” it said.

Almog Apirion is CEO and co-founder of Cyolo, a zero trust access provider.

“Health care organizations are unfortunately no stranger to cyberattacks and data breaches,” he said. “Institutions like CHS are an attractive target for threat actors due to their troves of personal information and their reliance on third parties both for cybersecurity and other aspects of their work. The reality is that when hackers exploit vulnerabilities in third-party security tools, the lives and privacy of patients are put at risk. Interoperability is vital for successful health care delivery, so a managed file transfer (MFT) is a needed solution. But when the admin console is accessible via the internet, it’s only a matter of time before data is breached. Any connection to a sensitive data source must be properly managed and secured.

Zero trust access strategies should be employed to support the needed connections, especially between care delivery partners, Apirion said.

Tags:

Edward Gately

As news editor, Edward Gately covers cybersecurity, new channel programs and program changes, M&A and other IT channel trends. Prior to Informa, he spent 26 years as a newspaper journalist in Texas, Louisiana and Arizona.