Community Health Systems Faces LawsuitLegal Action Comes After Breach Affecting 4.5 Million Patients
See Also: HIPAA Audits: A Revised Game Plan
Plaintiffs in the case, who were treated at CHS-operated hospitals, allege that CHS failed to implement and follow basic security procedures to safeguard their personal information. The lawsuit does not cite any examples of fraud tied to the breach.
"As a result of the defendant's failure ... plaintiffs' sensitive information is now in the hands of thieves," claims the lawsuit, filed in the U.S. District Court for the Northern District of Alabama. "Plaintiffs now face a substantial increased risk of identity theft, if not actual identity theft. Consequently ... patients and former patients will have to spend significant time and money to protect themselves."
The lawsuit also accuses CHS of not promptly notifying patients who were affected by the breach, which "caused plaintiffs to remain ignorant of the breach and, therefore, plaintiffs were unable to take action to protect themselves from harm." It alleges breach of contract, negligence, invasion of privacy, violations of the Fair Credit Reporting Act and violations of Alabama state law. The suit seeks unspecified compensatory and punitive damages and other costs.
The hospital chain declined to comment on the litigation.
Community Health Systems, which operates 206 hospitals in 29 states, says a network data breach exposed 4.5 million individuals' personal information. Mandiant, which is providing forensics services to the hospital chain, believes that an "advanced persistent threat group originating from China used highly sophisticated malware and technology to attack the company's systems," according to Community Health System's 8-K filing to the U.S. Securities and Exchange Commission on Aug. 18.
In its 8-K filing, the hospital chain says the attack most likely occurred in April and June. Attackers used highly sophisticated malware to bypass Community Health System's security measures and successfully copy and transfer certain information out of the system, the filing says.
Compromised information includes names, addresses, birthdates, telephone numbers and Social Security numbers for patients who, in the last five years, were referred for or received services from physicians affiliated with Community Health Systems, according to the filing. The hospital chain is offering affected individuals free identity theft protection services.
Andi Bosshart, corporate compliance and privacy officer at CHS, says in an Aug. 19 notification letter posted on the hospital chain's website: "We value the trust you have placed in us for your care and it is our priority to ensure those who were affected by this attack are notified about the breach."
TrustedSec, an information security consulting service, says it learned from a "trusted and anonymous source close to the CHS investigation" that the initial attack vector into the hospital chain's systems was the OpenSSL vulnerability known as Heartbleed.