By Steven Hoffman

Staff Writer

Community Health Systems, the Tennessee-based parent company of Jennersville Regional Hospital, reported that it suffered a data breach affecting the personal information of approximately 4.5 million patients after its computer network “was the target of an external criminal cyber attack.”

The hospital company said in a filing with the U.S. Securities and Exchange Commission (SEC) that the attacks took place during April and June of this year. The hacker group responsible for the attack is thought to be operating in China.

According to a spokesperson for the hospital, the compromised data did not include medical, clinical, or credit card information. The hackers did manage to steal private information such as patient names, addresses, birthdates, telephone numbers, and social security numbers.

While the purpose of the attack remains unclear, Community Health Systems said in the SEC filing that the only thing it knows was stolen was “…non-medical patient identification data related to the company’s physician practice operations and affected approximately 4.5 million individuals who, in the last five years, were referred or received services from physicians affiliated with the company.”

Community Health Systems operates 206 hospitals in 29 states throughout the U.S.

Once the attack was detected, Community Health Systems hired Mandiant, a forensic expert, to investigate the incident.  According to the filing with the SEC, the hackers used highly sophisticated malware and technology to attack the company’s systems. The attacker was able to bypass the company’s security measures and copy and transfer certain data outside the company. Community Health Systems has completely eliminated the malware from its systems and implemented other remediation efforts that are intended to protect against such attacks in the future. Additionally, the company is working with federal law enforcement officials in connection with the ongoing investigation into cyber attacks of this kind. 

Community Health Systems will be sending notifications to affected patients and regulatory agencies. The company will also be offering identity theft protection services to individuals affected by the attack.

“We take very seriously the security and confidentiality of private patient information and we sincerely regret any concern or inconvenience to patients,” said the hospital spokesperson in a statement. “Though we have no reason to believe that this data would ever be used, all affected patients are being notified by letter and offered free identity theft protection.”