"Anyone that has been impacted, the company has reached out to for identity theft protection at our cost, but none of our patients were identified," he said.
The attacker is believed to be a group that originates from
The hack was discovered in July and is believed to have occurred in April and June of this year.
According to the filing, the company confirmed that this data did not include patient credit card, medical or clinical information; the data is, however, considered protected under the Health Insurance Portability and Accountability Act because it includes patient names, addresses, birth dates, telephone numbers and
The company carries cyber and privacy liability insurance to protect it against certain losses related to matters of this nature, the filing said.
Since this kind of attack has become common, Newell said he is looking to the federal government for regulations and assistance in keeping hackers from getting personal information. He said he has been a victim of identity theft himself and it's a scary situation.
"It's quite concerning for me as an individual, but also as the CEO of a health system where we have so much patient information that we need to keep protected," Newell said. "For the American companies and organizations that are being victimized by these foreign-based cyber-intrusions, I kind of have to say it's up to the federal government to create a national cyber-defense to prevent this type of invasion from happening in the future. We have to make sure the sophistication is up to par at our federal government level because this is a government issue as well as an individual facility or company issue."
Earlier on cumberlink.com
He said because CRMC was recently acquired by the company, it was not on the same platform as the rest of the hospitals owned by CHS, so patients at CRMC were not among the 4.5 million individuals affected by the security breach.
Posted earlier from abc27 on Cumberlink:
The attack reportedly occurred in April and June of this year and was confirmed in July.
The data transferred was non-medical patient identification data related to the company's physician practice operations, and the 4.5 million people are those who, in the last five years, were referred for or received services from physicians affiliated with the company, CPBJ reported.
The data did not include patient credit card, medical or clinical information, CHS said, but is considered protected under the Health Insurance Portability and Accountability Act because it includes patient names, addresses, birth dates, telephone numbers and
CHS said it "is providing appropriate notification to affected patients and regulatory agencies as required by federal and state law" and "will also be offering identity theft protection services to individuals affected by this attack."
The filing did not offer any further specifics on the patients affected, and comment was not immediately available from the
CHS is under the impression the attacker was an "'Advanced Persistent Threat' group originating from
According to the filing, CHS carries cyber and privacy liability insurance.
(c)2014 The Sentinel (Carlisle, Pa.)
Visit The Sentinel (Carlisle, Pa.) at www.cumberlink.com
Distributed by MCT Information Services