Hospital chain Community Health Systems, which suffered a massive breach of protected health information, on August 20 will formally notify the HHS Office for Civil Rights and media outlets and begin the patient notification process, as well as post notices on its websites, a spokesperson tells Health Data Management.

The 206-hospital organization disclosed the breach on August 18 in a filing with the Securities and Exchange Commission, as the hacking of ambulatory patient data including Social Security numbers for 4.5 million patients is a “material event” that publicly held companies must immediately report. CHS believes the hacking originated from a ring in China with attacks occurring in April and June 2014. Affected patients will receive identity protection services at no cost for one year. In addition to SSNs, other compromised data included names, addresses, birthdates and telephone numbers--a perfect recipe for fraud.

Linn Freedman, a partner and information security specialist in the Nixon Peabody law firm in Providence, R.I., says sophisticated hacks are very challenging to prevent and healthcare organizations have to find ways to keep sensitive information out of their systems. Right now, “The bad guys are very sophisticated and the good guys are trying to catch up,” she adds.

Many healthcare organizations, Freedman says, are vulnerable and frustrated because they would like to better secure data but do not have the resources. But there still are ways to boost security.

One way is to take a closer look at SSNs, because as long as they are in information systems, healthcare organizations will continue to be targeted--and many of them don’t need the SSN, she says.  Those who need it should encrypt the number at rest or mask most of the number, such as using only the last four digits.

Determining an organization’s level of information security is always a risk-based decision, and different organizations have differing appetites for risk, says Dennis Spaulding, global information security officer at information systems seller and implementer Insight Enterprises.

Spaulding is not familiar with Community Health Systems information technology infrastructure and cautions that while encryption often is a viable and effective security initiative, there are situations where encryption is not a practical answer because data isn’t available internally as well as externally. In making a choice about encryption, organizations should keep in mind that security research firm Ponemon Institute estimates the average cost of a compromised record in the United States at $246, he notes.

The CHS hacking is the second largest breach since HHS/OCR began tracking such incidents in late 2009.  In September 2011, backup tapes containing PHI on 4.9 million individuals from the military Tricare health insurance program were stolen along with other items from the car of an employee of contractor SAIC.

HHS/OCR on its public website of major breaches lists at least 89 incidents of hacking that affected 500 or more patients with an increasing number throughout 2013 and 2014. When the CHS breach is posted it will be by far the largest hacking event involving protected health information. Other major PHI hacks--the largest occurring at government agencies--include Montana Department of Public Health and Human Services (1,062, 509 affected individuals); Utah Department of Health (780,000); Puerto Rico Department of Health (475,000); St. Joseph Health System in Texas (405,000); UW Medicine in Washington (76,183); and L.A. Gay & Lesbian Center (59,000).

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access