TRENDING:

Community Health Systems Faces Lawsuit

Legal Action Comes After Breach Affecting 4.5 Million Patients Jeffrey Roman (gen_sec) • August 26, 2014    
Community Health Systems Faces Lawsuit

Community Health Systems faces a class action lawsuit following a breach at the hospital chain that compromised information on 4.5 million patients (see: China Hackers Suspected in Health Breach).

See Also: The Alarming Data Security Vulnerabilities Within Many Enterprises

Plaintiffs in the case, who were treated at CHS-operated hospitals, allege that CHS failed to implement and follow basic security procedures to safeguard their personal information. The lawsuit does not cite any examples of fraud tied to the breach.

"As a result of the defendant's failure ... plaintiffs' sensitive information is now in the hands of thieves," claims the lawsuit, filed in the U.S. District Court for the Northern District of Alabama. "Plaintiffs now face a substantial increased risk of identity theft, if not actual identity theft. Consequently ... patients and former patients will have to spend significant time and money to protect themselves."

The lawsuit also accuses CHS of not promptly notifying patients who were affected by the breach, which "caused plaintiffs to remain ignorant of the breach and, therefore, plaintiffs were unable to take action to protect themselves from harm." It alleges breach of contract, negligence, invasion of privacy, violations of the Fair Credit Reporting Act and violations of Alabama state law. The suit seeks unspecified compensatory and punitive damages and other costs.

The hospital chain declined to comment on the litigation.

Hacking Incident

Community Health Systems, which operates 206 hospitals in 29 states, says a network data breach exposed 4.5 million individuals' personal information. Mandiant, which is providing forensics services to the hospital chain, believes that an "advanced persistent threat group originating from China used highly sophisticated malware and technology to attack the company's systems," according to Community Health System's 8-K filing to the U.S. Securities and Exchange Commission on Aug. 18.

In its 8-K filing, the hospital chain says the attack most likely occurred in April and June. Attackers used highly sophisticated malware to bypass Community Health System's security measures and successfully copy and transfer certain information out of the system, the filing says.

Compromised information includes names, addresses, birthdates, telephone numbers and Social Security numbers for patients who, in the last five years, were referred for or received services from physicians affiliated with Community Health Systems, according to the filing. The hospital chain is offering affected individuals free identity theft protection services.

Andi Bosshart, corporate compliance and privacy officer at CHS, says in an Aug. 19 notification letter posted on the hospital chain's website: "We value the trust you have placed in us for your care and it is our priority to ensure those who were affected by this attack are notified about the breach."

TrustedSec, an information security consulting service, says it learned from a "trusted and anonymous source close to the CHS investigation" that the initial attack vector into the hospital chain's systems was the OpenSSL vulnerability known as Heartbleed.

Previous
Gameover Zeus Trojan Continues Resurgence
Next
Twitter Chat: The Latest Fraud Trends

About the Author

Jeffrey Roman

Jeffrey Roman

News Writer, ISMG

Roman is the former News Writer for Information Security Media Group. Having worked for multiple publications at The College of New Jersey, including the College's newspaper "The Signal" and alumni magazine, Roman has experience in journalism, copy editing and communications.



Around the Network

Is It Generative AI's Fault, or Do We Blame Human Beings?
Is It Generative AI's Fault, or Do We Blame Human Beings?
Transforming a Cyber Program in the Aftermath of an Attack
Transforming a Cyber Program in the Aftermath of an Attack
Identity Security and How to Reduce Risk During M&A
Identity Security and How to Reduce Risk During M&A
How 'Security by Default' Boosts Health Sector Cybersecurity
How 'Security by Default' Boosts Health Sector Cybersecurity
Protecting Medical Devices Against Future Cyberthreats
Protecting Medical Devices Against Future Cyberthreats
Evolving Threats Facing Robotic and Other Medical Gear
Evolving Threats Facing Robotic and Other Medical Gear
Medical Device Cyberthreat Modeling: Top Considerations
Medical Device Cyberthreat Modeling: Top Considerations
How the NIST CSF 2.0 Can Help Healthcare Sector Firms
How the NIST CSF 2.0 Can Help Healthcare Sector Firms
Safeguarding Critical OT and IoT Gear Used in Healthcare
Safeguarding Critical OT and IoT Gear Used in Healthcare
Why Health Firms Struggle with Cybersecurity Frameworks
Why Health Firms Struggle with Cybersecurity Frameworks

Continue »

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.