Unlikely Hackers Target Personal Info of 4.5M Tennessee Hospital Patients

Hackers have breached a Tennessee hospital system’s electronic data program and accessed the personal information of approximately 4.5 million patients, in what is being called the largest attack of its type involving patient information. While the hackers involved in the security breach on Community Health Systems—a large hospital system based in Franklin, Tennessee—have been identified as group of hackers in China, investigators are baffled by this identification because these particular hackers typically target valuable intellectual property rather than personal medical records.

Stolen Information

The data that has been compromised in the breach includes patient names, addresses, birth dates, telephone numbers, and social security numbers. One report revealed, however, that no credit card information or medical data was accessed during the incident. The information that was compromised included that data from “approximately 4.5 million individuals who were referred for or received services from physicians affiliated with the [hospital system] in the last five years.” The information that was accessed is protected under the Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191).


The security firm which has been hired to lead the attack FireEye Inc., subsidiary Mandiant, identified the hackers as the Chinese group known as APT 18, which is known for high-level espionage-like hacking of intellectual property belonging not only to firms in the health care industry but also in aerospace, defense, and engineering. The Washington Post quoted Mandiant director Charles Carmakal, as stating, “We have tracked this group for the last four years and we have never seen them steal this type of information before.” Among the theories that were floated to explain this surprising hack from a group that has not shown any prior interest in medical records was that the “group was simply stealing everything it could from Community Health Systems and, in the process, sucked up patient records from corporate servers.”

Cybersecurity, Generally

While Mandiant noted that the hackers were “able to bypass the company’s security measures and successfully copy and transfer certain data outside the company,” experts commented on the inefficiencies of the security systems of large health care providers in general. Philip Lieberman, president of Lieberman Software, was quoted as asserting that “too few health care companies invest in computer security,” despite warnings from the FBI and the little protection that is offered under HIPAA.

Community Health Systems

After confirming that this breach took place in July of 2014 and has since been “eradicated” from its system, Community Health Systems—which operates or leases 206 hospitals in 29 states—announced that it would notify potential victims of the theft and offer these individuals identity protection services. Recently, Wolters Kluwer reported on a settlement between Community Health Systems and the Department of Justice in which the hospital system agreed to pay $98.15 million to settle claims against it regarding alleged violations of the federal False Claims Act and the physician self-referral law, or Stark Law.