Investigators say a China-based hacking group is to blame for a data breach that exposed the identities of 4.5 million patients served by or referred to Community Health Systems (CHS), a publicly traded company that owns, leases, and/or operates 206 hospitals in 29 U.S. states. The stolen data included Social Security Numbers, names, dates of birth, addresses, and contact information. However, no credit card numbers or medical records were stolen.
No intellectual property was nabbed either...and that's what's odd.
CHS and Mandiant, which was commissioned in June to conduct the forensic investigation, "believe the attacker was an 'Advanced Persistent Threat' group originating from China who used highly sophisticated malware and technology to attack the Company’s systems," according to a regulatory report the CHS filed with the Securities and Exchange Commission today.
The attack methods are characterestic of a particular APT group, but the type of information stolen -- personal identity information -- is a departure from the norm for the group, which "has typically sought valuable intellectual property, such as medical device and equipment development data," according to the filing. The name of the suspected group has not been revealed. Mandiant declined to comment because the investigation is ongoing.
So why might a group of Chinese APT actors be interested in a fat pile of identity info? And if indeed they're based in China, does it necessarily follow that they are politically motivated, or government-funded? Some people are skeptical.
"The motivation for a state-sponsored desire to get personal identifying information would be pointless," says David Hobbs, Director of Security Solutions at Radware. "The IRS, credit reporting agencies, and other targets have lost much more personal information on U.S. citizens, so the value of this information for politically motivated hacking makes no sense. Allegedly they didn’t steal credit card information which could have been used to gain greater personal intelligence if this were state sponsored."
"One must keep in mind," says Jeffrey Lyon, co-founder of Black Lotus, "that China recently emerged as the world's second largest economy with 618 million Internet users, more than the entire population of the United States. It is entirely reasonable to expect that an uptick in cyber crime will accompany this growth. It is not proper to automatically assume that the Chinese government itself is responsible for these incidents."
It is possible that this might just be the first step in committing other attacks; stealing then selling data to raise money for something else.
“While the number of records is astonishing and makes it one of the largest breaches in the medical field, it may not have been the perpetrators' actual goal," says Jerome Segura, senior security researcher at Malwarebytes Labs. "If the group behind this was one of the suspected hacking unit from China, their motive generally is the theft of intellectual property. Indeed industrial espionage (or medical espionage for that matter) has been a growing and active threat for which most corporations aren't quite prepared against."
In April, the FBI issued a warning to healthcare providers, informing them that the industry was not as prepared for cyber attacks as other sectors.
"Healthcare lags far behind many other industries in making CIOs report to the CEO, hiring CISOs and making cybersecurity leadership a priority," says Mansur Hasib, author of Impact of Security Culture on Security Compliance in Healthcare. "Being familiar with the US healthcare industry I know that 50 percent of the US organizations run their IT through their Finance or Operations organizations. Therefore technology and cybersecurity officers are not empowered to make the right decisions. In most organizations the CEO does not take the fall for these types of breaches -- they typically make the CIO or CISO the scape goat."
Trey Ford, global security strategist at Rapid7, says that healthcare environments are one of the most difficult industries to protect. "You have a great deal of personally identifiable information (PII) that achieves high values on the black market; healthcare practitioners often sharing workstations and passwords, coming and going on shifts or in emergencies; and medical devices and systems that are highly regulated and certified for set configurations, so they cannot easily be patched," says Ford. "For these reasons, standard industry practices like network segmentation and scanning are often prohibited."
Costs Not Big Enough?
In the SEC filing, CHS stated that they have cyber insurance to cover them in instances like this and "While this matter may result in remediation expenses, regulatory inquiries, litigation and other liabilities, at this time, the Company does not believe this incident will have a material adverse effect on its business or financial results."
Hobbs notes that CHS could still be hit by fines under the HITECH Act -- which mandates security controls like encryption -- unless their cyber insurance covers negligent business practices.
The incident has not hurt the company's stock price, either. At the close of business Monday, CHS's stock was actually up.
However, if neither regulatory pressures nor financial pressures will force CHS and similar organizations to harden their security, what will?
"Financial pressures alone has not been sufficient," says Hasib, "because most organizations have been able to get away with offering credit monitoring and other such measures which do not capture the total financial and personal hardship suffered by people who actually suffer from these breaches. We can see even with this breach the executives are only worried about addressing the financial loss. They appear oblivious to the moral wrong of not protecting the public good they have been entrusted with. Until this changes, we will continue to see breaches and problems like this."
Lucky for CHS that their insurance may cover the costs, because they already owe the Department of Justice over $88 million for unrelated reasons. Earlier this month CHS agreed to a settlement to end a DoJ investigation into the billing practices of over 100 of CHS's associated hospitals. The government was investigating whether or not the hospitals had been billing Medicare, Medicaid, and TRICARE for inpatient admissions costs that should have been billed as outpatient or observation visits.