Monday, August 18, 2014

Don't worry, your information's safe. Community Health Systems says data stolen in cyber attack: just a mere 4.5 million people affected this time.

I have often written about my observations of the generally unimpressive qualifications and capabilities of IT personnel, up to and including the CIO's, in healthcare settings (e.g., baccalaureate-level education in a doctoral and post-doctoral setting, usually no clinical or biomedical experience, no computer science background, no medical informatics background, and sometimes not even a formal management information systems education) compared to other sectors such as pharma and academia.  I've written about this as an impediment to health IT progress and to healthcare IT safety.

Now, I increasingly believe the healthcare IT backwater is becoming a downright societal threat, for another reason.  Yet another in my "don't worry, your information's safe" series (

Community Health Systems says data stolen in cyber attack
Published August 18, 2014

U.S. hospital operator Community Health Systems Inc said on Monday personal data, including patient names and addresses, of about 4.5 million people were stolen by hackers from its computer network, likely in April and June.

The company said the data, considered protected under the Health Insurance Portability and Accountability Act, included patient names, addresses, birth dates, telephone numbers and Social Security numbers. It did not include patient credit card or medical information, Community Health Systems said in a regulatory filing.

It said the security breach had affected about 4.5 million people who were referred for or received services from doctors affiliated with the hospital group in the last five years.

If you're a department store, or a McDonald's, such breaches might be more understandable.  When you're a life-critical industry such as healthcare, and under HIPAA regulations regarding privacy and confidentiality, these incidents are increasingly unforgivable.

The FBI warned healthcare providers in April that their cybersecurity systems were lax compared to other sectors, making them vulnerable to hackers looking for details that could be used to access bank accounts or obtain prescriptions, Reuters previously reported.

Again, inexcusable.  Health IT amateurs (and, of course, the Management Recruiting Firms that hospital retain to find them, who are equally clueless about what it takes to be a health IT expert) don't just endanger your health; they endanger your economic well being, even when you're not ill.
The company said it and its security contractor, FireEye Inc unit Mandiant, believed the attackers originated from China. They did not provide further information about why they believed this was the case. They said they used malware and other technology to copy and transfer this data and information from its system.

Just great.

Community Health, which is one of the largest hospital operators in the country with 206 hospitals in 29 states, said it was working with federal law enforcement authorities in connection with their investigation into the attack. It said federal authorities said these attacks are typically aimed at gathering intellectual property, such as medical device and equipment development data.

Oh. that's reassuring - our data's being stolen by honest thieves who would never, EVER think of selling the data to dishonest thieves who steal people's identities, and then money...

It said that prior to filing the regulatory document, it had eradicated the malware from its systems and finalized the implementation of remediation efforts. It is notifying patients and regulatory agencies as required by law, it said.

It also said it is insured against such losses and does not at this time expect a material adverse effect on financial results.

Oh, that's very nice.  Millions of people potentially put at risk, but insurance will cover for incompetence.

Perhaps the insurers should more critically evaluate the quality of work of the people they're insuring.

-- SS


Anonymous said...

Life and death dependence on whimsical systems of devices is folly.

The POTUS remains silent.

Blame the user. But no such system is safe. Period!

Anonymous said...

And it looks like it might be due to the Heartbleed SSL flaw.

InformaticsMD said...

Anonymous said...

IAnd it looks like it might be due to the Heartbleed SSL flaw.

Indeed, that's what the Bloomberg article relates.

Our healthcare privacy and security is now dependent on flawed software in the hands of health IT amateurs. A pretty thought.

-- SS