Trinity’s parent company, Community Health Systems Inc., said in a filing with the Securities and Exchange Commission that it was “the target of an external, criminal cyber attack” of Chinese hackers it believes occurred in April and June and affected 4.5 million patients. A statement from Trinity said the theft occurred for patients who had visited the physicians or clinics within the last five years. The company and Trinity both said it did not include medical or credit card information, but did include other information, such as “names, addresses, birth dates, telephone numbers and Social Security numbers,” according to Trinity’s statement.
“We take very seriously the security and confidentiality of private patient information and we sincerely regret any concern or inconvenience to patients,” according to the Trinity statement. “Though we have no reason to believe that this data would ever be used, all affected patients are being notified by letter and offered free identity theft protection.”
Community said the hackers were an “Advanced Persistent Threat” group originating from China who used highly sophisticated malware and technology to attack the company’s systems,” according to the filing. The malware has been removed and new protections set up, according to the filing. The company is working with federal law enforcement authorities on an investigation and potential prosecution. But the Trinity statement also places some of the blame on the U.S. government.
“Many American companies and organizations have been victimized by foreign-based cyber intrusions. It is up to the federal government to create a national cyber defense that can prevent this type of criminal invasion from happening in the future.”