It turns out that 4.5 million Community Health Services patients personal data was exposed to Chinese hackers.
Information was released today that 4.5 million Community Health Services patients’ data over the past five years was breached in April and June by Chinese hackers.
The company serves rural hospitals, spanning 29 states and 206 hospitals. That’s a lot of potential identity theft for people that may not have internet access or be aware of the breach.
And yet according the Los Angeles Times, CHS prepared for such eventualities from a business perspective.
"The hospital group said it was insured against a privacy breach of this type and does not expect material adverse affects on its finances as a result of remediation expenses, regulatory inquiries, litigation and other liabilities."
However, that won’t make patients feel particularly secure since their Social Security numbers and personal data are at risk.
Reuters reports that the FBI warned healthcare providers about possible breaches due to ineffective measures. Data holds a high value in the black market.
BBC reports that "security group Mandiant, part of FireEye, advised the company that the techniques used were similar to those used by a well-known Chinese hacking group."
Community Health says it's removed the malicious software that allowed the major breach, while taking precautionary measures against the next potential break.
Currently, the company's following legal requirements by notifying all patients and regulatory agencies of the incidents. Included in the notification is an offer to provide identity theft protection services, similar to what Target offered during their data breach last year.
In CHS's report to the United States Securities and Exchange Commission (SEC), there's an acknowledgement that Health Insurance Portability and Accountability Act (HIPPA) was breached as well. Noting that "patient names, addresses, birthdates, telephone numbers and social security numbers" do not break patient confidentiality on medical documents, the stealing of information still breaks HIPAA.
The BBC spoke to Tripwire's director of security research and development, Lamar Bailey, to discuss the personal ramifications.
"It impacts the person and not a company." And Bailey reiterated "this is the information needed for identity theft to allow criminals to open accounts in the names of the 4.5 million victims."
Breaching data doesn't just take away the financial and identity rights, but the emotional safety a person feels. It's not easy knowing a stranger has access to your history, where you live, who you hang around.
Identity theft's reached an epidemic proportion as the world becomes more digitized. And privacy becomes harder to maintain as companies as for personal information to verify identity over the phone.
Call about a cell phone bill and you’re required to give the last four digits of your social security number, some random fact of personal credit that you may or may not remember, and all to a complete stranger. Just to find a solution to a minor billing issue.
It's easy to drain bank accounts, ruin credit, steal your tax refund and cause a lot of financial and legal problems for the victim with such personal information. And now 4.5 million patients information is at risk.
How do you counter possible theft?
The government's Consumer Information site says to look out for any changes that you did not approve. And to check-in with your state on how to counteract the breach.
"Your state law controls the rights you have if your information is lost in a data breach. When the organization that lost your information lets you know about the breach, they should explain your options."
Meanwhile, the Department of Justice will prosecute the cases under 1998's Identity Theft and Assumption Deterrence Act and can carry a 15-year imprisonment, loss of goods bought with stolen money, and fine. Federal prosecutors will work with federal agencies, like the FBI or Secret Service.
The legislative act's meant to prosecute those who:
"knowingly transfer[ring] or us[ing], without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, any unlawful activity that constitutes a violation of Federal law, or that constitutes a felony under any applicable State or local law."
DoJ recommends following S.C.A.M. (Stingy, Check, Ask, Maintain): avoid giving out private information; check to make sure all your documents are being delivered where they should be; ask for check credit reports and financial documents periodically throughout the year; and keep copies of financial documents for at least a year in case of dispute.
If there's a chance of identity theft, contact the Federal Trade Commission, Social Security Administration, and IRS right away. Put a lock down on your personal information. And then contact the credit unions (Equifax, Experian, Trans Union) to put a flag on any major changes to credit, like opening new accounts or purchasing big ticket items.
BBC states that in May, the US government accused five Chinese military officers of being behind breaches on US companies. However, the Chinese government called the action "groundless" and distrustful once the officers denied any involvement. So this latest news will only add more tension to the stressful situation.
In the meantime, patients who thought their data was safe in a healthcare facility must now track all documents...just in case.
Welcome to the digital age.