Community Health Systems Inc., which owns 206 hospitals in 29 states, says a network data breach exposed 4.5 million individuals' personal information.

Mandiant, which is providing forensics services to the hospital chain, believes that an "advanced persistent threat group originating from China used highly sophisticated malware and technology to attack the company's systems," according to Community Health System's 8-K filing to the U.S. Securities and Exchange Commission.

Second Major Hacker Incident

This is the second huge health data breach apparently involving hackers this year (see: Why Hackers Are Targeting Health Data).

In June, Montana state officials confirmed that 1.3 million people were being notified of a breach at the state's Department of Public Health and Human Services (see: Montana Breach Victim Tally: 1.3 Million). Hackers gained access to a public health department server, although there's no evidence that information on the server was used inappropriately, or was even viewed, officials say.

If the details of the Community Health Systems breach are confirmed by federal officials, it would be the second largest health data breach since the enactment of the HIPAA data breach notification rule in 2009. The largest breach, a 2011 incident involving TRICARE, the military health program, and its contractor, Science Applications International Corp., affected 4.9 million individuals.

Malware Involved

In its 8-K filing, the hospital chain says the attack most likely occurred in April and June. Attackers used highly sophisticated malware to bypass Community Health System's security measures and successfully copy and transfer certain information out of the system, the filing says.

Compromised information includes names, addresses, birthdates, telephone numbers and Social Security numbers for patients who, in the last five years, were referred for or received services from physicians affiliated with Community Health Systems. Patient credit card, medical or clinical information was not exposed. The hospital chain is offering affected individuals free identity theft protection services.

Community Health Systems says it has completed the removal of the malware from its systems. Federal authorities and Mandiant say the suspected intruder "has typically sought valuable intellectual property, such as medical device and equipment development data," according to the 8-K filing. "However, in this instance the data transferred was non-medical patient identification data related to the company's physician practice operations."

The statement also notes: "Since first learning of this attack, [Community Health Systems] has worked closely with federal law enforcement authorities in connection with their investigation and possible prosecution of those determined to be responsible for this attack."

Community Health Systems says it carries cyber-liability insurance. "While this matter may result in remediation expenses, regulatory inquiries, litigation and other liabilities, at this time, the company does not believe this incident will have a material adverse effect on its business or financial results."

Officials at the hospital chain did not immediately respond to a request for additional information.