Call:  (407) 331-6620 or (850) 439-1001
Toll-free:  (888) 331-6620

Data Breach

A cyber attack nets information on 4.5 million individuals.

By Michael L. Smith, R.R.T.. J.D.

Community Health Systems Inc. (CHS) is a Tennessee-based for-profit hospital chain with more than 200 hospitals and numerous medical clinics throughout the U.S. In April and June 2014, CHS was the victim of a cyber attack on its computer systems. The records of approximately 4.5 million individuals were accessed by a criminal group from China. The names, addresses, birth dates, telephone numbers and social security numbers of patients were taken. According to CHS, no credit card, medical or clinical information was taken, but the information that was taken was protected under the Health Insurance Portability and Accountability Act (HIPAA).

In August, CHS posted a notice on its web site advising patients of the data breach. CHS is notifying each individual that was affected by the breach and offering identity theft and credit monitoring services to those individuals without charge. CHS is also cooperating with federal law enforcement authorities that are investigating the cyber attack. CHS had previously reported the incident to the Security and Exchange Commission (SEC), which it was required to do as a for-profit entity.

Cyber attacks are a potential risk to protected information maintained by covered entities and their business associates. The potential for cyber attacks is one vulnerability that covered entities and their business associates should examine as part of their HIPAA risk assessments. Those same covered entities and business associates also need to plan and implement security measures to guard against potential threats including, but not limited to cyber attacks.

On April 8, 2014, the Federal Bureau of Investigation (FBI) notified hospitals and healthcare systems of the potential cyber attacks on health information. The FBI explained that health information was extremely valuable on the black market. The transition to electronic health records (EHR) and the increasing number of medical devices that are connected to the Internet has created an area for criminals to attack, according to the FBI.

A class action lawsuit against CHS was filed in Alabama Federal Court on August 20, 2014, based upon the breach of information in the cyber attack. In its filing with the SEC, CHS anticipated the potential for litigation and lawsuits by patients based upon the cyber attack. CHS also anticipates remediation expenses, regulatory inquiries, and other liabilities as a result of the cyber attack.

CHS believes the attackers are an organization from China that usually targets intellectual property for medical devices and equipment. That information would potentially be useful to produce counterfeit products and devices. In 2012, U.S. Customs & Border Patrol seized $83 million worth of counterfeit medical devices and pharmaceuticals. There is also a lucrative black market for counterfeit medical devices and pharmaceuticals outside the U.S.

Hospitals and healthcare systems may not be as protected from cyber attacks as banks, credit card companies and other organizations that have been dealing with electronic financial information for many years. Still, the organizations that regularly deal with financial information are frequently the targets of cyber attacks despite their experience and strong security measures. On August 28, 2014, major news organizations reported that the FBI was conducting an ongoing investigation of recent cyber attacks on JP Morgan Chase and other banks. Hospitals and healthcare systems, like every other organization maintaining electronic information, need to implement strong security measures and continuously monitor their systems for cyber attacks and fraudulent activity.

RTs in particular are responsible for numerous medical devices that contain health information, whether or not they are connected to Internet. RTs need to be concerned with the security of those devices, the information they retain, and the information they share while connected to the Internet.

Michael L. Smith, JD, RRT is board certified in health law by The Florida Bar and practices at The Health Law Firm in Altamonte Springs, Fla. This article is for general information only and is not a substitute for formal legal advice.

This article was originally published in: Advance for Respiratory Care and Sleep Medicine.