Hackers Steal Data Of 4.5 Million US Hospital Patients

itwbennett (1594911) writes Community Health Systems said the attack occurred in April and June of this year, but it wasn't until July that it determined the theft had taken place. Working with a computer security company, it determined the attack was carried out by a group based in China that used 'highly sophisticated malware' to attack its systems. The hackers got away with patient names, addresses, birthdates, telephone numbers and Social Security numbers of the 4.5 million people who were referred to or received services from doctors affiliated with the company in the last five years. The stolen data did not include patient credit card, medical, or clinical information.

Re:Well I for one

[The Grim Reefer]

Yes, but think of all the new medical breakthroughs and publications that will be coming out of China in the next few years. ;-)

Re:

[wooferhound]

I guess this needs to be reported, but, is it news anymore?

Re:

[dcollins117]

I guess this needs to be reported, but, is it news anymore?

Yes. It is huge news for anyone who seeks medical care in the US. Your supposedly confidential records are not confidential. It's criminal and I hope to see everyone responsible for mismanaging medical records prosecuted.

Re:Well I for one

[ShanghaiBill]

Your supposedly confidential records are not confidential.

My name, address, and phone number are already public information, and in the phone book. The only "confidential" information they got was the SSN, and that should be fixed by making it illegal to use SSNs as authentication. I am required to disclose my SSN to employers, contractees, financial institutions, creditors, etc. It is ridiculous to then assume that mere knowledge of my SSN is "proof" that I am me.

Re:

[Aighearach]

contractees should be given an EIN not a SSN.

Re:

[Aighearach]

That sounds circular and crazy; he needs an EIN to be safe, but according to you he doesn't need one because of [unrelated reasons].

No, really man. Contractors with no employees should be giving out an EIN, not a SSN. They are free and you're allowed to have them. And they cannot be used for credit applications, only for tax reporting.

Re:

[Jason Levine]

All someone needs is your name, address, SSN, and birthdate and they can use your identity to open a credit card in your name*. Trust me, I know this from personal experience. If the thieves hadn't paid for rapid delivery of the credit card and THEN changed the address on the card, the card would have been delivered to them, not me. I wouldn't then have realized what was up until the collection agencies were banging down my door and my credit rating was in shambles. Instead, I was able to cancel the car

Re:

[dcollins117]

* As an aside, that mother's maiden name "security" question on the forms? Let's just say that the TSA provides more security than this does.

Mother's maiden name is a terrible security question anyway. It's often quite easy to find that data by checking geneology sites like Ancestry.com, or by the judicious use of Google. Marriage and funeral notices often include members of the entire family, and their relationships.

Not to mention the many "people finder" type sites that will sell you all the personal information you could hope for on a person for a nominal fee.

Re:

[Jason Levine]

Given my experience, thieves don't need to go that far. The people who stole my identity used a completely and utterly incorrect Mother's Maiden Name and were still approved. (They also tried to immediately change the address on the card and get a $5,000 cash advance before it was activated. None of these things raised red flags, apparently.)

Re:

[hawkinspeter]

How dare you say that! We've been more inept for much longer than the USians. We'd make sure that a random doctor loses his unencrypted laptop with all the data on it.

Got SS number but

[raind]

"The stolen data did not include patient credit card, medical, or clinical information."

That seems to be a rather dubious claim.

Re:

[ShanghaiBill]

This should warrant jail time.

America already imprisons more people than any other country. Many states spend more on prisons than on higher education. If, in addition to criminals, we want to also imprison the merely incompetent, we will need ten times as many prison cells.

Re:

[Anonymous Coward]

Assassination is an effective tool if used properly. Simply offer $200K a head with a 5 million bonus for the entire team responsible, dead or alive.

Re:

[Khyber]

Dubious? No. The information stolen is more relevant to stealing one's identity, creating false residency documentation, etc. Name, address, social security number? Ripe for identity fraud.

Re:

[jimbolauski]

I sure am glad that I have refused to give out my SS# to hospitals, doctors, insurance companies, ... Most don't seem to care if it's omitted, so I don't have to explain that I'm not comfortable giving them that information making me look like a tinfoil hat hearing nut job.

why internet connected?

[Anonymous Coward]

What were such systems doing connected to the public internet?

You reap what you sew. Put a system on the internet that is a big enough target, and it WILL be owned. The safe approach is physical separation coupled with careful local access control to prevent USB-style attacks (though with physical separation it is hard for them to phone home again).

Re:

[epyT-R]

convenience rules the internet of things.

Re:why internet connected?

[Sarten-X]

This is utterly ignorant.

Many (if not most) healthcare providers in the US are affiliated with a larger organization, such as Community Health Systems. The branch offices need to have access to patient data from other affiliated providers, and given that this includes emergency rooms and other urgent-care facilities, the information must be available as quickly as possible. Physical separation is not a reasonable option.

Re:why internet connected?

[Sabbatic]

Kind of ignorant to assume that such information sharing, which is only about 25 years old, is so absolutely vital that anyone who questions it is foolish. I don't recall vast numbers of people dying in ER's across the country pre-internet as opposed to post. It's useful, no doubt, and saves some lives, but if the data can't be handled responsibly, it's reasonable to ask whether the benefit is worth the cost of exposing millions of people to massive breaches of privacy and risk of identity theft. In any event, since you have positioned yourself as knowledgable about emergent care, I can assume that you are fully aware that the quick life-and-death decisions in ER's happen more quickly than would allow for a read-through of someone's medical history. In fact, too much data has been shown to lead to more misdiagnoses in ER's.

Re:

[ColdWetDog]

This is most likely billing info. Until healthcare is free, you're going to have billing info. No way around it. The clinical info isn't really useful to your common crook - hard to make a buck out of knowing who has herpes since the pharmaceutical companies have already gleaned that information by paying your local pharmacist to tell them (legal and lucrative).

So, it's the old name, rank and social security number routine.

Re:

[msauve]

"the pharmaceutical companies have already gleaned that [personal info on who uses what drugs] information by paying your local pharmacist to tell them (legal and lucrative)."

Prima facie, that seems to be a HIIPA violation. Cite supporting your statement?

Re:

[mrchaotica]

It's not a HIPAA violation because it's "aggregated and anonymized" (but we all know how easy it is to de-anonymize that kind of thing...).

I've heard it first hand from somebody who works at a medical billing software company (not going to be more specific for employment reasons, sorry).

Re:

[msauve]

The claim was "knowing who has herpes..."

That doesn't fit with "aggregated and anonymized" regardless of your unsupported claim that such info is easily de-anonymized.

Re:

[mrchaotica]

regardless of your unsupported claim that such info is easily de-anonymized.

1. 1. A huge amount of de-anonymization research is being done these days (both academically and by companies like Google, Amazon, etc.)
2. 2. Medical billing companies are trying to maximize profit, so they aren't going to put much effort into preventing de-anonymization (i.e., they're going to do the bare-minimum to be plausibly HIPAA-compliant).

Given the above, I think the idea that such info might not be easily de-anonymized is the e

Re:

[msauve]

Logic fail. You're begging the question.

1. There's a huge amount of research on fusion power.

2. There's a lot of profit to be made from low cost energy.

From that, your logic would claim that fusion reactors are providing power worldwide.

Re:

[mrchaotica]

Excuse me. I guess I should have said "successful research" -- like this [dataprivacylab.org] (which is a study about a system that specifically was able to de-anonymize patient medical records!):

"Often organizations release and receive medical data with all explicit identifiers, such as name, address, phone number, and Social Security number, removed in the incorrect belief that patient confidentiality is maintained because the resulting data look anonymous; however, we show that in most of these cases, the remaining data can

Re:

[msauve]

...no mention there of "aggregated/em)" (your words) data. You continue to try to change the premises to match your pre-determined conclusion. I'm done. You're just not worth any further effort.

isp "vpn". Social security numbers

[raymorris]

Their ISP would be more than happy to set up each hospital and office building with a "dedicated virtual circuit", which is basically a VPN handled and enforced by the ISP using their carrier-grade equipment. The ISP will ensure that the black network can't access the internet (and the internet can't access the black network). One thing ISPs can do pretty well is take AWAY your internet access. All systems with confidential data are connected only to tge bkack network, which interconnects the various loca

VPNs don't solve this on their own

[dutchwhizzman]

Disclosure: I'm a professional Penetration Tester

We find plenty of this sort of setups at our customers. Customers set up VPNs, have a password policy and a virus scanner. They have firewalls and keep user policies restricted. Then we come and we trojan someone, or find a weak WiFi password or whatever we use to get a foothold inside their network all it takes is one little mistake and we're "in". Once we get there, we log keyboards, get password hashes from network or system memory and start to pivot all over the place. Usually, our software will trigger virus alerts, but staff doesn't react to those "in a timely fashion" and we get to keep going even though alarms are going off on several computers. We could cloak our malware and sometimes we do, but usually it's too much trouble and we get domain admin passwords within a few days and rule the network in such a way that admins wouldn't be able to get rid of us if we would rootkit and backdoor properly.

It takes more than some policies and a VPN these days. You need IDS, proper procedures, layered security and skilled, motivated staff that knows how to deal with security incidents. You need properly trained and aware users that aren't afraid to admit they messed up and that have no problem reporting others doing wrong either. Don't trust on a single technical measure, but implement them all and make sure you test and train on a regular basis. Get a data classification policy and protect data according to that policy. That means that stuff like SSNs and anything that can be used for identity theft should get extra layers of protection and alerting implemented. If you don't do all this, a serious intruder will usually get what they want.

Re:

[electrosoccertux]

I'm sure the GOVERNMENT would (don't worry you can trust us)

Re:VPNs don't solve this on their own

[JDG1980]

You need properly trained and aware users

In other words, we're doomed.

Re:VPNs don't solve this on their own

[jbmartin6]

I work the other side of this scenario, and while you are right for the most part (IDS technology sucks and should never be used) what you describe is an elaborate and costly setup that a minority of organizations could implement and even fewer could do effectively. It seems to me that a much more effective approach would be to limit the value (i.e. risk) of the information available to an attacker. Instead of taking extra measure to protect SSNs, ask if we even need to store them at all. I've seen a lot of incidents where I had to ask things like 'Why does this database have all this information in it when you only need three fields?' I'm not saying we should simply accept intrusion but vulnerability is infinite so moving to reduce the value of an intrusion to reduce the reward for attackers might be more effective than fruitlessly striving for perfect defense.

true, but funny you went there

[raymorris]

What you say is true, but it's funny in a way that reminds me of something I'd do.

Ac: They shouldn't be connected to the internet.
-> Sarten-X: They need to be connected to the internet in order to be connected to each other.
-> raymorris: They can be connected to each other without being connected to the internet.

Re: isp "vpn". Social security numbers

[Anonymous Coward]

The hospitals are connected back to the main datacenter in Brentwood. All ingress/egress goes through the main datacenter. They connect back to this datacenter via mpls. I can almost 100% assure you that something in the corporate datacenter is what was hacked.

I used to work there.

Re:

[chooks]

In fact, too much data has been shown to lead to more misdiagnoses in ER's.

Citation needed

What type of data are you talking about? Lots of largely irrelevant lab data? (oh look...an elevated ESR!) Or is it historical data (Why yes Doctor, I do have a metal plate in my head. Is that bad for an MRI?)

The clinical history is one of the most powerful diagnostic tools available. Even in the ED.

Re:

[forand]

Why can't they us a VPN AT LEAST? The GP is not ignorant but perhaps too idealistic. Personally while I don't think it is a good idea to have health records available on the internet I think it is far worse that our electrical system REQUIRES internet access and communication between various points. This is a horrible national security risk while private health records are rather difficult to either monetize or use (financial records excluded).

Re:

[Anonymous Coward]

You reap what you sew. Put a system on the internet that is a big enough target, and it WILL be owned. The safe approach is physical separation coupled with careful local access control to prevent USB-style attacks (though with physical separation

The problem is that so many of these large networks are stitched together from disparate systems that can't easily be cut apart without causing the whole thing to unravel. It looms ever larger as legacy hardware and software must continue to be interwoven with new

Re:

[Streetlight]

Even if the systems are not connected to the public Internet, given enough money, someone connected to the systems with proper security clearance and access, could put the data that was stolen, and more, on to thumb drives, DVDs, or whatever. Snowden apparently wasn't paid for the enormous amount of data he purloined and didn't need the internet. Not so sure how protected the data was secured from the public internet, but it didn't matter.

Re:

[Sabbatic]

So? Pretty much any security measures on anything can be compromised eventually. That doesn't mean they aren't worthwhile. The sort of operation that Snowden pulled off is much harder and rarer than some random group of hackers on the other side of the world taking shots at a system at their leisure.

Re:

[ColdWetDog]

What were such systems doing connected to the public internet?

You reap what you sew. Put a system on the internet that is a big enough target, and it WILL be owned. The safe approach is physical separation coupled with careful local access control to prevent USB-style attacks (though with physical separation it is hard for them to phone home again).

They weren't on the 'public' Internet. They got hacked. Why was this stuff even on the network? Excellent question. The quick answer is that the hospital would like to get paid. So they have to create claims. Claims these days are electronic, little to no paper. The claims have to be sent from the hospital to the insurance companies -- through a network. And that network is .... the Internet.

Yes. hospitals could just go back to point to point dialup but that's not very convenient. They most likely h

Re:

[JustOK]

It's reap what you sow.

Re:

[msauve]

It's rip what you sew. :-)

Re:

[Muad'Dave]

You reap what you sow. You sew garments, you sow seed.

Re:

[jellomizer]

You do not work in health care do you.

So when you get registered at the Hospital. Your data will electronically get sent to the Electronic Medical Record system, which then will be sent to the Lab Systems, and back, Then all this data gets fed into a billing system which then needs to electronically send this data to the insurance company to be billed. Now we also new regulations called Meaningful Use, and one of them is the ability to Send Electronic Medical Data to the Patient in less then 72 hours of th

Highly sophisticated malware used to attack system

[lippydude]

'Working with a computer security company, it determined the attack was carried out by a group based in China that used 'highly sophisticated malware' to attack its systems.'

That would be a msOffice document sent as an email attachment ..

Re:

[ColdWetDog]

"..ICE patterns formed and reformed on the screen as he probed for gaps, skirted the most obvious traps, and mapped the route he'd take through Sense/Net's ICE. It was good ICE. Wonderful ICE... ...His program had reached the fifth gate. He watched as his icebreaker strobed and shifted in front of him, only faintly aware of his hands playing across the deck, making minor adjustments. Translucent planes of color shuffled like a trick deck. Take a card, he thought, any card.

The gate blurred past. He laughed.

HIPAA Compliance

[MarkvW]

I sure hope the hackers comply with HIPAA. They sure will be in a lot of trouble if they don't.

Re:HIPAA Compliance

[Anonymous Coward]

That is a very common misunderstanding. HIPAA only applies to "covered entities." That includes healthcare clearninghouses, health plans, and healthcare providers that transmit your information electronically. For example, the hospital I work for accidentally put thousands of records on a public web site, but because we didn't at the time transmit that information electronically to others as a normal part of our business, it wasn't a HIPAA violation. Another example is a collection agency. HIPAA doesn't apply to them either. HIPAA only protects your information in a small number of the use cases.

Justification

[Charliemopps]

"They used sophisticated malware!"

What a joke. And let me guess, they're offering free credit monitoring for up to a year! It's completely inexcusable that they waited over a month to report this. I hate to see the feds get involved in anything, but this is getting ridiculous. These incidents should result in fines in the tens of millions, minimum. Then they'd take security seriously. Most serious security efforts aren't even all that expensive. It's getting all the people and systems in compliance that's t

This can't have happened.

[Richy_T]

We have had a huge amount of government regulation in place for years. This must be lies or a simple misunderstanding.

Scuse me, I think I dropped my sarcasm tag.

Re:

[50000BTU_barbecue]

You're right, a for-profit only company would never have cut costs to the IT department. Nope.

Re:

[jbmartin6]

What does "for profit" have to do with cutting costs or other IT failures? Are you claiming that the "not for profit" or "non profit" hospitals are more diligent?

Steal??

[Anonymous Coward]

The hospital still has the records right? There is no missing property, right?

Nice contrast..

[Rick in China]

with the story about 'doctor visits' over Skype, and how many posters were railing against how they were afraid of eavesdropping/decrypting of their Skype conversations. Where are they now! :D

Re:

[stephanruby]

with the story about 'doctor visits' over Skype, and how many posters were railing against how they were afraid of eavesdropping/decrypting of their Skype conversations. Where are they now!

These days, most of them are currently in China getting free medical advice and racking medical bills over Skype.

Re:

[Rick in China]

Medical advice in China is extremely cheap. Like a few RMB (less than a dollar).. the problem is, it's often wrong, and it's often intended to get you to buy medicines which is where their profit is. :D

joke's on them

[slashmydots]

Ha ha ha, I haven't been to the doctor in over 5 years. Joke's on you, bitches. Technically I worked at a hospital though.

In other words...

[Chas]

They SQL-injected Healthcare.gov and received a dump of everything that hasn't been purged out of the system since the last purge.

CHS Locations

[HangingChad]

Here's the list of Community Health Systems locations [chs.net] in case you've been to the hospital recently. Fortunately they don't have any in our area.

They are late to the party

[jbmartin6]

Given that the hospital's information is shared with all sorts of insurers, coding and transcription services, government agencies, services that comb the records looking for more insurance claims or more profitable claims, and so on, I have to say that these guys came really late to the party.

Info from someone who used to be there

[Anonymous Coward]

Disclaimer... i worked at CHS for a few years in the engineering department....there was a separate department responsible for security and theoretically they were the ones responsible make making sure that everyone was following proper security standards...

...but the catch, is that they really weren't. The organization regularly used open shares because that's what the "applications" required. One app in particular was called ProMED. during the time I was there, this app was loaded in almost every Em

Bad system design

[Natales]

First, SSNs themselves should not be "stored" in any database. They should be used dynamically for initial patient validation and stored as a salted hash. For that matter, you can do the same with DOB and other key identifiers that are not required for anything but for validation. Use an internal patient number as index for everything else. Second, use MAC (Mandatory Access Controls) for any app or microservice attempting to access specific portions of data. Any unauthorized attempt to access a record shoul

Patient Identification

[Ronin Developer]

Our gov't allowed SSNs to be used in all sorts of capacities since, I think the 1980's. I still have my SSN card which says "Not for Identification" - yeah...that old...issued in the 60's. Congress changed the rules and put us all in jeopardy by allowing SSNs to be used as a personal identifier.

How pervasive is it?

Want to write a letter to a military service member? Well, don't forget to add their SSN to the address. The military now uses SSN as the service number...it's in printed on the envelop of ev

Insecure systems or human error. END OF LINE.

[Miser]

It's either insecure systems or human error, or a combination of both that allowed this breach in my opinion. Why oh why most (not all) IT companies use the lowest common denominator or put things in for "ease of use" instead of "security" ? Folks need to start standing up to these sociopaths (the non-technical people in control) and set things up like they should be - SECURE.

They should be using locked down, secure systems (IBM Mainframes with security systems on top?) and two factor authentication. Doe

They belive it was Chinese

[future assassin]

just another boogie man to add to the list when the current terrorist hysteria doean'st work anymore. We need to lock down the nation so those Chinese hackers can't steal your computer souls. Forget the fact that some idiot let the computers get infected with malware in the first place...

How do you know it was Chinese, just because it came form an IP originating in China?

Failed security

[melting_clock]

How is it possible for those storing so much private data to have such weak security? Where is the responsibility for protecting this data?

Sadly, we live in a world where privacy and security has been given up by most and those that try to protect their personal data are treated as paranoid. Governments are moving closer to criminalising the use of encryption to protect data because it inconveniences their own spying efforts. Smartphone apps full of adware and spyware have become generally accepted, even

Re:

[Tablizer]

Well, your DIY lobotomy didn't turn out so well.

Re:

[ColdWetDog]

You should have seen him before the lobotomy.

Re:

[Tablizer]

Before? You mean her.