Patients of Community Health Systems hospitals, or affiliated physicians, could be at risk of medical fraud, says the S.C. Department of Consumer Affairs.
Community Health Systems – which operates eight hospitals in South Carolina including Chester Regional Medical Center and Springs Memorial Hospital in Lancaster – recently reported a cyber attack. Approximately 4.5 million individuals nationwide who received services in the last five years could be affected, company officials reported.
Specific numbers for South Carolina were not available Wednesday from Community Health Systems. State law requires companies to notify the S.C. Department of Consumer Affairs when more than 1,000 people are affected. That notice typically is filed after the company makes an announcement and notifies affected customers.
No credit card or medical or clinical information was stolen, according to Community Health Systems. Stolen data includes patient names, addresses, birth dates, telephone numbers and Social Security numbers.
“With a Social Security number and a date of birth (hackers) can do anything you can do with that data such as file taxes, apply for and take out a loan,” said Juliana Harris, spokeswoman for the S.C. Department of Consumer Affairs.
“Medical identity theft is possible,” she said.
Harris said it’s important for Community Health Systems patients to carefully check their explanation of benefits statements. An extra item or charge on the statement could be a mistake – or the result of identity theft.
That theft is important as people with the stolen information could change a person’s medical records, affecting their ability to get health care, Harris said.
Community Health Systems reported the attack to the Securities and Exchange Commission. The attack happened in April and June and likely originated in China, according to Franklin, Tenn.-based Community Health Systems.
Subsequently, Community Health Systems has employed Mandiant, an information security company, which investigated the incident. Community Health Systems has removed the malware and made other changes to protect its data.
Officials from Chester Regional Medical Center and Springs Memorial released the same statement Wednesday, saying the security and confidentiality of private patient information is taken seriously, and while, “we have no reason to believe that this data would ever be used, all affected patients are being notified by letter and offered free identity theft protection.”
The hospitals also said that other U.S. companies have been victims of foreign-based cyber attacks and “it is up to the federal government to create a national cyber defense that can prevent this type of criminal invasion from happening in the future.”