Wednesday, August 20, 2014 Information on 4.5 Million Patients Stolen in Largest Recorded Health Care Cyber-Attack The largest recorded cyber-attack on a health care operation has succeeded in stealing information on 4.5 million patients associated with Community Health Systems (CHS), a Tennessee-based company that owns, operates, or leases 206 hospitals in 29 states. Although CHS maintains that the information does not include payment or clinical information, hackers were able to access names, addresses, social security numbers, and other data. In an August 18 filing with the US Securities and Exchange Commission (SEC), CHS reports that hackers successfully accessed confidential files in April and June of 2014 through the use of malware that was able to bypass the company's security systems. According to reports from Reuters and the Chicago Tribune, a Chinese group known as "APT 18" is suspected of conducting the attack. CNN reports that the FBI is working closely with CHS to investigate the theft. In addition to names, addresses, and social security numbers, stolen information includes birthdates, telephone numbers, and employer or guarantor information on patients who were treated by or received referrals from CHS-affiliated doctors during past 5 years. CHS posted a media notice on its website stating that individuals whose information was taken in this cyber-attack "will be mailed a letter informing them about the data breach and how to enroll in free identity theft protection and credit monitoring services." The Health Insurance Portability and Accountability Act (HIPAA) requires companies to notify patients of suspected breaches of health care information.