Hackers Steal Data Of 4.5 Million US Hospital Patients 111
itwbennett (1594911) writes Community Health Systems said the attack occurred in April and June of this year, but it wasn't until July that it determined the theft had taken place. Working with a computer security company, it determined the attack was carried out by a group based in China that used 'highly sophisticated malware' to attack its systems. The hackers got away with patient names, addresses, birthdates, telephone numbers and Social Security numbers of the 4.5 million people who were referred to or received services from doctors affiliated with the company in the last five years. The stolen data did not include patient credit card, medical, or clinical information.
why internet connected? (Score:2, Informative)
What were such systems doing connected to the public internet?
You reap what you sew. Put a system on the internet that is a big enough target, and it WILL be owned. The safe approach is physical separation coupled with careful local access control to prevent USB-style attacks (though with physical separation it is hard for them to phone home again).
Re:HIPAA Compliance (Score:4, Informative)
That is a very common misunderstanding. HIPAA only applies to "covered entities." That includes healthcare clearninghouses, health plans, and healthcare providers that transmit your information electronically. For example, the hospital I work for accidentally put thousands of records on a public web site, but because we didn't at the time transmit that information electronically to others as a normal part of our business, it wasn't a HIPAA violation. Another example is a collection agency. HIPAA doesn't apply to them either. HIPAA only protects your information in a small number of the use cases.
Re:VPNs don't solve this on their own (Score:4, Informative)