August 20, 2014
We want to express sincere regret to the patients of affiliated physician practices and clinics whose data was accessed in a foreign-based cyber-attack of our computer network. We value the trust you have placed in us for your care and it is our priority to ensure those who were affected by this attack are notified about the breach and have their questions answered. If you were affected by the data breach, you will receive a letter with more information and a toll-free number to call to learn about the free credit monitoring and identity theft consultation and restoration services offered to affected patients. The following notice contains more details about the breach, measures we are taking to notify you, and how we are improving the way we protect health your information.
In July 2014, Community Health Systems Professional Services Corporation (“CHSPSC”) confirmed its computer network was the target of an external criminal cyber-attack in April and June 2014. CHSPSC, a Tennessee company, provides management, consulting, and information technology services to certain clinics and hospital-based physicians in this area.
CHSPSC believes the attacker was an “Advanced Persistent Threat” group originating from China, which used highly sophisticated malware technology to attack CHSPSC’s systems. The intruder was able to bypass the company’s security measures and successfully copy and transfer some data existing on CHSPSC’s systems.
Since first discovering the attack, CHSPSC has worked closely with federal law enforcement authorities in connection with their investigation of the matter. CHSPSC also engaged an outside forensic expert to conduct a thorough investigation and remediation of this incident. CHSPSC has implemented efforts designed to protect against future intrusions. These efforts include implementing additional audit and surveillance technology to detect unauthorized intrusions, adopting advanced encryption technologies, and requiring users to change their access passwords.
The majority of patients of clinics and hospital-based physicians affiliated with CHSPSC were not affected by this breach. Individuals whose information was taken in this cyber-attack will be mailed a letter informing them about the data breach and how to enroll in free identity theft protection and credit monitoring services. The data taken includes patients’ names, addresses, birthdates, social security numbers, and, in some cases, telephone numbers, and the names of employers or guarantors. However, to the best of CHSPSC’s knowledge, NO credit card information was taken and NO medical or clinical information was taken. CHSPSC recommends that you remain vigilant for incidents of fraud and identity theft by reviewing your credit report and accounts for unauthorized activity.
Anyone with questions about this cyber attack can call 1-877-223-3764 toll-free. For information on preventing identity theft or to report suspicious activity, contact the Federal Trade Commission at 1-877-438-4338 or get free information at www.ftc.gov.
What to do if you received a notification letter about this data breach:
We’ve made arrangements with a third-party vendor to provide those affected with identity theft consultation and restoration services. Those who receive a letter should call 1-877-223-3764 between 8 a.m. and 6:30 p.m. (Central) Monday through Friday if they have a question or need assistance. Only those who receive a letter will be eligible for this service and will need the membership number listed on that letter when making the call. This service will not ask for payment or credit card information as a condition of receiving identity theft consultation or restoration services.
PLEASE NOTE: We will NOT call or email anyone requesting any personal information as a result of this situation. If you receive an unsolicited call or email that appears to be from CHSPSC, Community Health Systems, your local hospital or physician office, please do not provide any personal information in response to these calls or emails.