Attacker suspected to be an advanced persistent threat from China
In a regulatory filing to the US Securities and Exchange Commission (SEC), the Community Health Systems (CHS) disclosed a massive data breach impacting around 4.5 million people in 29 states.Confirmed by the company in July 2014, the intrusion is believed to have occurred in April and June 2014 and to have been perpetrated by an “Advanced Persistent Threat” (APT) group based in China.
According to forensics expert Mandiant (a FireEye company), who was contracted for the investigation, the attackers relied on sophisticated malware for penetrating the CHS systems.
It appears that the attacker was after intellectual property relating to medical devices and equipment development information.
“However, in this instance the data transferred was non-medical patient identification data related to the Company’s physician practice operations and affected approximately 4.5 million individuals who, in the last five years, were referred for or received services from physicians affiliated with the Company,” it is explained in the report.
Jerome Segura, from security firm Malwarebytes, says that industrial espionage incidents are more frequent and represent a threat that most corporations are not yet properly prepared against.
The information transpired from CHS systems did not include credit card, medical or clinical data, but it includes patient names, addresses, birthdates, telephone numbers and social security numbers, which are protected by the Health Insurance Portability and Accountability Act (HIPAA).
All affected individuals are currently informed of the leak and CHS offers complementary identity theft protection from accredited entities.
Segura says that highly motivated groups with possibilities to bypass traditional security software and to infiltrate important targets exist, and they often rely on strong social engineering in their activity.
Using advanced techniques, APT groups can hide their presence on the compromised machines for long periods of time, in order to observe activity and collect the information they need, said the security researcher via email.
“Overall, the medical sector is not as well protected against such attacks as other sectors and often times firms will rely on their liability insurance to cover themselves instead of dedicating a budget for cyber security. This may work from a business standpoint in a typical risk versus cost scenario but it completely ignores the implications on individuals who may face the pain and worry of identity theft or privacy violations,” he added.
In a report published in July by the New York Attorney General Office, it is revealed that in the New York state, the health care sector exposed the largest amount of information since 2006.