Some Pottstown Memorial Medical Center and Phoenixville Hospital patients are among the estimated 4.5 million caught in a cyberattack announced by Community Health Systems Inc., the parent company of the hospitals.
The two area hospitals would not say Tuesday how many local patients have been affected by the data breach.
The stolen information did not include medical or credit card information, but did include names, addresses, birthdates, telephone numbers and social security numbers.
“We regret any concern this has caused for our patients. Those patients whose information was affected by this data breach will be notified over the days ahead and will be offered free identity theft protection,” said Deb Bennis, director of marketing and community relations for PMMC.
According to a company statement issued by PMMC on Tuesday, “limited” personal identification data belonging to some patients seen at physician practices and clinics affiliated with Phoenixville Hospital and Pottstown Memorial Medical Center over the past five years “was transferred out of our organization in a criminal cyber-attack by a foreign-based intruder.”
“Our organization believes the intruder was a foreign-based group out of China that was likely looking for intellectual property. The intruder used highly sophisticated methods to bypass security systems. The intruder has been eradicated and applications have been deployed to protect against future attacks. We are working with federal law enforcement authorities in their investigation and will support prosecution of those responsible for this attack,” the statement continued.
21st Century Media asked each hospital, along with the Franklin, Tenn.-based parent company Community Health Systems, about the number of local patients that might have been affected, but received no response to that question.
However, according to the statement, each affected patient is being notified by letter about the data breach and will be offered free identity theft protection.
“We take very seriously the security and confidentiality of private patient information and we sincerely regret any concern or inconvenience to patients,” the statement read.
Tomi Galin, senior vice president of corporate communications and marketing for Community Health Systems, said Tuesday afternoon that when affected patients receive their letters, they will be provided with a toll-free telephone number for additional information.
Details about the breach were included in a Form 8-K filing Monday by Community Health Systems with the Securities and Exchange Commission. According to the SEC’s website, a Form 8-K is the “current report” companies must file with the SEC to announce major events that shareholders should know about.
The data breach was included in a section called “other events,” which is a section for outlining events that are not specifically called for by Form 8-K, but that are considered by the company to be of importance to shareholders.
According to the filing, Community Health Systems confirmed in July that its computer network had been the target of a cyberattack, most likely in April and June of this year.
The data is considered protected under the Health Insurance Portability and Accountability Act (“HIPAA”) because it includes patient names, addresses, birthdates, telephone numbers and social security numbers. The company is providing appropriate notification to affected patients and regulatory agencies as required by federal and state law.
Telephone and email requests from 21st Century Media for comment and additional information from Phoenixville Hospital were not immediately responded to. Community Health Systems Inc. declined to provide additional details beyond what was in the filing.