The parent company of three Polk County hospitals says criminal cyberattackers stole Social Security numbers and other information of about 4.5 million patients treated by its affiliated physician groups.
Tennessee-based Community Health Systems — which owns Lake Wales Medical Center, Heart of Florida Regional Medical Center and Bartow Regional Medical Center — said no medical or credit card records were taken in the attack, which may have happened in April and June. But Community said the attack did bypass its security systems to take patient names, addresses, birth dates, and telephone and Social Security numbers.
The data breach affects patients who were treated at the company’s clinics, not those who were solely hospital patients, said Sue Sartin, Director of Marketing and Physician Relations. The clinics all use the same software that was hacked.
“Limited personal identification data belonging to some patients who were seen at physician practices and clinics affiliated with Bartow Regional (not the hospital) over the past five years was transferred out of our organization in a criminal cyberattack by a foreign-based intruder,” Sartin said in a prepared statement. “The transferred information did not include any medical information or credit card information, but it did include names, addresses, birthdates, telephone numbers and Social Security numbers.”
Previously owned by HMA, Bartow Regional was bought by CHS as well as other hospitals in a $7.6 million deal.
Sartin said patients would be notified of what happened.
“We take very seriously the security and confidentiality of private patient information and we sincerely regret any concern or inconvenience to patients. Though we have no reason to believe that this data would ever be used, all affected patients are being notified by letter and offered free identity theft protection.”
She said the organization believes the intruder was a “foreign-based group” from China that was likely looking for intellectual property.
She said the intruder has been eradicated and applications have been deployed to protect against future attacks.
“We are working with federal law enforcement authorities in their investigation and will support prosecution of those responsible for this attack.”
The attack follows other high-profile data security problems that have hit retailers like the e-commerce site eBay and Target Corp. Last year, hackers stole from Target about 40 million debit and credit card numbers and personal information for 70 million people.