A rural health company with hospitals across the nation said Monday that hackers, possibly from China, had gotten the names, addresses, birth dates, telephone numbers and social security numbers of about 4.5 million patients.
Community Health Systems, based in Franklin, Tenn., said the attack occurred in April and June.
In a filing with the U.S. Securities and Exchange Commission on Monday, the company said that the attacker was an "Advanced Persistent Threat" group, possibly based in China. It used "highly sophisticated malware and technology to attack the company's systems," the filing said.
The company's forensic computer experts at Mandiant said the Chinese hacking group "was able to bypass the company's security measures and successfully copy and transfer certain data outside the Company."
The company has since eradicated the malware from its computer system and protected it again attacks of the same type, it said.
Federal authorities told the company that the same hacking group has typically sought valuable intellectual property, such as medical device and equipment development data from other medical centers.
But in this case, they were only able to get patient identification data related to the company's physician practice operations.
That included information about approximately 4.5 million individuals who were referred for or received services from physicians affiliated with the company over the last five years.
No credit card information or medical data was included in the breach.
However, the information was considered protected under the Health Insurance Portability and Accountability Act ("HIPAA") because it includes patient names, addresses, birth dates, telephone numbers and social security numbers.
The company said it is notifying affected patients.
The company has one of the largest networks of hospitals in the nation, with 206 hospitals in 29 states.