In a filing with the Securities and Exchange Commission, Community Health Systems (CHS), the nation’s leading for-profit publicly-traded operator of general acute-care hospitals, disclosed that this spring, a sophisticated hacker group likely originating in China was able to bypass its computer security measures and copy non-medical information on approximately 4.5 million individuals either treated at or referred to one of its facilities in the past five years.

CHS, which is based in Franklin, Tennessee, and its computer forensic expert, Mandiant, believe the cyber attack occurred in April and June of this year. Malware infected CHS computers may have helped the group gain access and copy the data, which did not include health information but is still considered protected personal health information under the Health Insurance Portability and Accountability Act (HIPAA) because it included patient names, addresses, birth dates, telephone numbers and social security numbers.

CHS will offer all affected individuals free identity theft protection services and is notifying all the affected individuals and the relevant government agencies with oversight. It also reported having eradicated the malware from its systems and put in place systems designed to protect against future attacks like this one.

Because CHS carries cyber/privacy liability insurance, the direct financial impact will likely be negligible. However, the possible impact on patient trust in CHS and its electronic health records is harder to quantify.

In late February, only a few months before this attack occurred, the Office of the National Coordinator for Health Information Technology (ONC) released results from a national telephone survey of more than 2,000 people that it had conducted in 2012. It revealed that patients who don’t trust security measures for electronic health records (EHRs) are much less likely to support electronic health information exchange (HIE) and much more likely to withhold information from their health care provider. (Read our report.)

While a recent Healthcare Information and Management Systems Society (HIMSS) survey of members found that most saw the biggest threat to patient data as coming from within their organizations through unauthorized accessing of records by staff and providers, the government has warned that outside threats also need to be taken seriously. CHS is not alone in having its systems compromised by malware and hackers, and small hospitals are just as much targets as big operators like CHS. For example, in March, the Valley View Hospital Association (VVH), which operates a small hospital in Gleenwood Springs, Colorado, voluntarily disclosed that a virus had infected its computers and captured data that included personal but not medical information on 5,400 patients. (Read our report.)

Providers concerned about protecting their systems from hackers do have a new resource. Earlier this year, the Health Information Trust Alliance (HITRUST) and the U.S. Department of Health and Human Services (HHS) began conducting free briefings on current and probable cyber threats in the healthcare sector, as well as sharing what to do to defend against these threats. In addition, HITRUST set up an alert system to notify healthcare organizations of cyber threats targeted at the healthcare sector. To get the alerts or participate in the monthly online briefings, register at www.hitrustalliance.net/cyberupdates.