CRMC’s parent company victim of data breach; CEO says local patients likely safe

Aug. 19--It is unlikely that patients of Carlisle Regional Medical Center were affected by a recent data breach in its parent company's systems, the hospital's CEO told The Sentinel Monday.

Community Health Systems Inc. said it is the victim of a hack that affected 4.5 million patients who were referred for received services in the last five years from physicians affiliated with the organization. The Franklin, Tennessee, company owns, leases or operates 206 hospitals in 29 states, The Associated Press reported.

Rich Newell, chief executive officer of Carlisle Regional Medical Center, said it does not appear as though any patients from Carlisle or Lancaster were affected. Because CRMC recently was acquired by the company, it was not on the same platform for electronic records as the rest of the hospitals owned by CHS.

"Anyone that has been impacted, the company has reached out to for identity theft protection at our cost, but none of our patients were identified," he said.

The attacker is believed to be a group that originates from China and uses a "highly sophisticated malware and technology to attack the company's systems," according to filing documents with the U.S. Securities and Exchange Commission.

The hack was discovered in July and is believed to have occurred in April and June of this year.

CHS acquired Memorial Hospital in York in 2012. It bought three former Health Management Associates Inc. hospitals -- Lancaster Regional Medical Center and Heart of Lancaster Regional Medical Center in Lancaster County, and Carlisle Regional Medical Center -- in January 2014.

According to the filing, the company confirmed that this data did not include patient credit card, medical or clinical information; the data is, however, considered protected under the Health Insurance Portability and Accountability Act because it includes patient names, addresses, birth dates, telephone numbers and Social Security numbers.

The company carries cyber and privacy liability insurance to protect it against certain losses related to matters of this nature, the filing said.

Since this kind of attack has become common, Newell said he is looking to the federal government for regulations and assistance in keeping hackers from getting personal information. He said he has been a victim of identity theft himself and it's a scary situation.

"It's quite concerning for me as an individual, but also as the CEO of a health system where we have so much patient information that we need to keep protected," Newell said. "For the American companies and organizations that are being victimized by these foreign-based cyber-intrusions, I kind of have to say it's up to the federal government to create a national cyber-defense to prevent this type of invasion from happening in the future. We have to make sure the sophistication is up to par at our federal government level because this is a government issue as well as an individual facility or company issue."

Community Health Systems did not respond to questions Monday.

------

Earlier on cumberlink.com

Carlisle Regional Medical Systems CEO Rich Newell said it does not appear as though any patients from Carlisle or Lancaster are affected by the Community Health Systems hack that was made public today.

He said because CRMC was recently acquired by the company, it was not on the same platform as the rest of the hospitals owned by CHS, so patients at CRMC were not among the 4.5 million individuals affected by the security breach.

------

Posted earlier from abc27 on Cumberlink:

Community Health Systems Inc., which owns four hospitals in the Midstate, including Carlisle Regional Medical Center, reported on Monday that its computer network was the target of an external criminal cyberattack that affected approximately 4.5 million patients.

CHS acquired Memorial Hospital in York in 2012 and three former Health Management Associates Inc. hospitals: Lancaster Regional Medical Center and Heart of Lancaster Regional Medical Center in Lancaster County, and Carlisle Regional Medical Center in Cumberland County, in January 2014, according to a story from the Central Penn Business Journal.

The attack reportedly occurred in April and June of this year and was confirmed in July.

The data transferred was non-medical patient identification data related to the company's physician practice operations, and the 4.5 million people are those who, in the last five years, were referred for or received services from physicians affiliated with the company, CPBJ reported.

The data did not include patient credit card, medical or clinical information, CHS said, but is considered protected under the Health Insurance Portability and Accountability Act because it includes patient names, addresses, birth dates, telephone numbers and Social Security numbers.

CHS said it "is providing appropriate notification to affected patients and regulatory agencies as required by federal and state law" and "will also be offering identity theft protection services to individuals affected by this attack."

The filing did not offer any further specifics on the patients affected, and comment was not immediately available from the Central Pennsylvania hospitals this morning., CPBJ reported.

CHS is under the impression the attacker was an "'Advanced Persistent Threat' group originating from China who used highly sophisticated malware and technology to attack the company's systems," the filing said. "The attacker was able to bypass the company's security measures and successfully copy and transfer certain data outside the company."

According to the filing, CHS carries cyber and privacy liability insurance.

___

(c)2014 The Sentinel (Carlisle, Pa.)

Visit The Sentinel (Carlisle, Pa.) at www.cumberlink.com

Distributed by MCT Information Services