Community Health Systems' data breach will likely be the first of many in health care

Data breaches at health care systems are on the rise, experts say, and these will become more common in the coming years as more patient data goes digital.

Community Health Systems, a large health care group that has 206 hospitals in 29 states, said Monday that a cyberattack originating in China resulted in the theft of Social Security numbers and other personal data belonging to 4.5 million patients. The scale of the attack makes it the largest in the U.S. since the Department of Health and Human Services began tracking such events in 2009.

Hospitals and health insurance companies are accustomed to protecting data against privacy breaches, but outright cybertheft may be a threat they’re less prepared for.

In Community Health’s case, the data stolen didn’t contain any clinical data or credit card data. But the thieves did manage to grab Social Security numbers and other personal information, which crooks can cross-referenced with other data to form a composite picture of a would-be victim. It’s by using these composites that bad actors can steal identity and assets.

Specifically, the data stolen from Community Health included patient names, addresses, birth dates, and telephone numbers of patients who had seen Community Health Systems doctors in the past five years. The firm says it’s now talking to patients and regulatory agencies about what happened, and the possible implications.

The Chinese group that staged the attack appears to be the same people who have targeted databases of companies in other U.S. industries, said a representative from FireEye Inc.’s Mandiant forensics unit, which led the investigation of the attack in April and June.

The FBI, which is now investigating the case, said in April that health care providers typically do not use the same high levels of security technology as companies in other industries. Because of this, the bureau warned, health care providers and payers could be targeted.

The health care industry includes more than just hospitals and insurance companies. Health Information Exchanges, which store health data from multiple hospital systems in a given region, may be a particularly tempting target for hackers.

Also, a quickly growing class of digital health data companies stores or manages more digital patient data in order to provide services to providers or on their behalf. These companies almost always sign a “business associate” agreement with the health care organization, linking the two legally. So if a digital health company ends us suffering a data breach, the hospital could, by extension, be held responsible.