The personal information of more than four million patients may be at risk after an attacker hacked into the computer network of hospital operator Community Health Systems sometime in April and June, according to reports.
The Tennessee-based company announced on Monday that names, addresses, birthdates, phone numbers and Social Security numbers may have been compromised, a Monday Associated Press (AP) report indicates.
Community Health Systems owns, operates and leases 206 hospitals in 29 states – including in California, Florida, New York and Texas – and the possibly compromised data relates to patients who were seen by doctors associated with the organization, according to the AP report.
The attacker is believed to be Chinese and used malware to compromise the Community Health Systems computer network, the AP report indicates, adding that the malware has since been removed and other measures are being taken to prevent any similar incidents from happening again.
Further details are sparse, and Community Health Systems did not respond to multiple SCMagazine.com requests for information.
In a Monday email correspondence, Larry Whiteside, CISO with Lower Colorado River Authority, told SCMagazine.com that one possible attack vector is credentials being stolen in a phishing incident, which he explained would give the attacker remote email access.
“Then that attacker [could have] used that legitimate email to send malware to people internally from a “trusted” user,” Whiteside said. “Those users [may have] unknowingly opened that trusted email and attachment, or URL, and became infected with malware.”
Another possible scenario could have involved the use of a malware-infected USB device being connected to a computer on the network, Whiteside said, explaining that, either way, the attacker was likely able to get credentials to someone with access to the electronic medical record system.