Estimated read time: 3-4 minutes
This archived news story is available only for your personal, non-commercial use. Information in the story may be outdated or superseded by additional information. Reading or replaying the story in its archived form does not constitute a republication of the story.
NEW YORK (CNNMoney) — Community Health Systems, which operates 206 hospitals across the United States, announced on Monday that hackers recently broke into its computers and stole data on 4.5 million patients.
One of the 206 affected hospitals is Mountain West Medical Center in Tooele. Evanston Regional Hospital in Evanston, Wyoming is also affected.
Hackers have gained access to their names, Social Security numbers, physical addresses, birthdays and telephone numbers.
Anyone who received treatment from a network-owned hospital in the last five years — or was merely referred there by an outside doctor — is affected.
The large data breach puts these people at heightened risk of identity fraud. That allows criminals open bank accounts and credit cards on their behalf, take out loans and ruin personal credit history.
TOOELE — For some patients at Mountain View Health Care, the news that Chinese hackers might have their personal information is frustrating, to say the least.
"They basically told us there's not much they can do. They'll watch our accounts for a year," said Jeanette Lawrence.
Lawrence said she's already fallen victim to identity theft in a completely different case.
"Now they've even got my Social Security number and name that somebody's using, and I'm getting collection bills from other people in other countries, and in the United States," she said.
It wasn't clear Monday whether Lawrence's information was compromised this time; management at Community Health Systems is still combing through the data.
"This is really devastating for us to hear because we take security for all of our patients seriously," said Phil Eaton, CEO of Mountain West Medical Center.
"From what we can tell, they're looking for information that had to do with certain clinical applications, as opposed to individual information," he said.
Still, Mountain West administrators are taking precautions since names, addresses and Social Security numbers were included in the files.
Eaton said his hospital was not affected because it's on a different computer system, and it was hard to say Monday which, if any, of Mountain West's seven clinics were breached. Patients of each clinic will get letter explaining the breach, he said.
"It wasn't financial in nature, so credit cards are not affected," Eaton said.
At the very least, Lawrence hopes cases like this will urge U.S. leaders and companies to make some drastic changes.
"Something's gotta be done with people hacking into computers, or there need to be severe penalties," she said.
Email: manderson@ksl.com
The company's hospitals operate in 28 states but have their most significant presence in Alabama, Florida, Mississippi, Oklahoma, Pennsylvania, Tennessee and Texas.
Community Health Systems hired cybersecurity experts at Mandiant to consult on the hack. They have determined the hackers were in China and used high-end, sophisticated malware to launch the attacks sometime in April and June this year.
The FBI said it's working closely with the hospital network and "committing significant resources and efforts to target, disrupt, dismantle and arrest the perpetrators."
Federal investigators and Mandiant told the hospital network those hackers have previously been spotted conducting corporate espionage, targeting valuable information about medical devices.
But this time, the hackers stole patient data instead. Hackers did not manage to steal information related to patients' medical histories, clinical operations or credit cards.
Still, the lost personal information is protected by the Health Insurance Portability and Accountability Act, the federal health records protection law. That means patients could sue the hospital network for damages.
As for exposed victims protecting themselves? There's little they can do. They won't be truly protected from fraud until numerous government agencies, credit bureaus, banks, data brokers and others update their systems.
Making matters worse, Community Health Systems said it will provide notification to the 4.5 million patients "as required by federal and state law," which is inconsistent and varies by region. There is no federal data breach law that requires timely and transparent disclosure that sensitive personal information was lost.
Shares of the publicly-traded Community Health Systems edged lower Monday morning. But the company tried to stem worries about the damages in a filing Monday with the Securities and Exchange Commission, saying that it "carries cyber/privacy liability insurance to protect it against certain losses related to matters of this nature."
The hospital network said that just before Monday's announcement, it managed to wipe the hackers' malware from its computer systems and implemented protections to prevent similar break-ins.
The company plans to offer identity theft protection to the 4.5 million victims of the data breach.
CNN's Evan Perez contributed to this report.
Contributing: Mike Anderson
The-CNN-Wire™ & © 2014 Cable News Network, Inc., a Time Warner Company. All rights reserved.
