Consumer Alert: Significant medical data breach impacts 4.5 million patients

Community Health System suffers sophisticated attack from hackers

Community Health Systems announced a serious data breach impacting 4.5 million patients across the US, spanning 28 states and covering information gathered over the past five years. The company announced the breach in its SEC filings, and described the breach as originating from China, and as an “Advanced Persistent Threat” group hack of the hospital’s computer network. The hackers were focused on acquiring patients’ names, SSN, date of birth, addresses and telephone numbers. This kind of information can be used to open new accounts in victim’s name, among other forms of identity theft.

WPF’s analysis of the SEC language is that this particular breach is in the high risk category for affected patients. Unlike, for example, a hospital worker who has unintentionally left a laptop in a car, this attack was intentional, and the information the hackers stole is what is needed for opening new accounts in victim’s names. The company states that it will be offering Credit Monitoring to victims, which we encourage people to use. For individuals who are able to confirm they are a victim of this breach, another option is to set something called a security freeze. A security freeze will stop any new credit accounts from being opened, and is an effective remedy against certain challenging forms of identity theft.

Related info:

How to place a security (credit) freeze, from WPF
Detailed breach information from Community Health System’s SEC filing (8-K, August 18, 2014):

Item 8.01. Other Events

“In July 2014, Community Health Systems, Inc. (the “Company”) confirmed that its computer network was the target of an external, criminal cyber attack that the Company believes occurred in April and June, 2014. The Company and its forensic expert, Mandiant (a FireEye Company), believe the attacker was an “Advanced Persistent Threat” group originating from China who used highly sophisticated malware and technology to attack the Company’s systems. The attacker was able to bypass the Company’s security measures and successfully copy and transfer certain data outside the Company. Since first learning of this attack, the Company has worked closely with federal law enforcement authorities in connection with their investigation and possible prosecution of those determined to be responsible for this attack. The Company also engaged Mandiant, who has conducted a thorough investigation of this incident and is advising the Company regarding remediation efforts. Immediately prior to the filing of this Report, the Company completed eradication of the malware from its systems and finalized the implementation of other remediation efforts that are designed to protect against future intrusions of this type. The Company has been informed by federal authorities and Mandiant that this intruder has typically sought valuable intellectual property, such as medical device and equipment development data. However, in this instance the data transferred was non-medical patient identification data related to the Company’s physician practice operations and affected approximately 4.5 million individuals who, in the last five years, were referred for or received services from physicians affiliated with the Company. The Company has confirmed that this data did not include patient credit card, medical or clinical information; the data is, however, considered protected under the Health Insurance Portability and Accountability Act (“HIPAA”) because it includes patient names, addresses, birthdates, telephone numbers and social security numbers. The Company is providing appropriate notification to affected patients and regulatory agencies as required by federal and state law. The Company will also be offering identity theft protection services to individuals affected by this attack. The Company carries cyber/privacy liability insurance to protect it against certain losses related to matters of this nature. While this matter may result in remediation expenses, regulatory inquiries, litigation and other liabilities, at this time, the Company does not believe this incident will have a material adverse effect on its business or financial results.” (From CHS 8-K SEC filing, August 18, 2014.)

Posted August 18, 2014 in Consumer Alert, Data Breach, Security Freeze

New Report: Risky Analysis: Assessing and Improving AI Governance Tools

We are pleased to announce the publication of a new WPF report, “Risky Analysis: Assessing and Improving AI Governance Tools.” This report sets out a definition of AI governance tools, documents why and how these tools are critically important for trustworthy AI, and where these tools are around the world. The report also documents problems in some AI governance tools themselves, and suggests pathways to improve AI governance tools and create an evaluative environment to measure their effectiveness. AI systems should not be deployed without simultaneously evaluating the potential adverse impacts of such systems and mitigating their risks, and most of the world agrees about the need to take precautions against the threats posed. The specific tools and techniques that exist to evaluate and measure AI systems for their inclusiveness, fairness, explainability, privacy, safety and other trustworthiness issues — called in the report collectively AI governance tools – can improve such issues. While some AI governance tools provide reassurance to the public and to regulators, the tools too often lack meaningful oversight and quality assessments. Incomplete or ineffective AI governance tools can create a false sense of confidence, cause unintended problems, and generally undermine the promise of AI systems. The report contains rich background details, use cases, potential solutions to the problems discussed in the report, and a global index of AI Governance Tools.
National IDs Around the World — Interactive map

About this Data Visualization: This interactive map displays the presence...
Report: From the Filing Cabinet to the Cloud: Updating the Privacy Act of 1974

This comprehensive report and proposed bill text is focused on the Privacy Act of 1974, an important and early Federal privacy law that applies to the government sector and some contractors. The Privacy Act was written for the 1970s information era -- an era that was characterized by the use of mainframe computers and filing cabinets. Today's digital information era looks much different than the '70s: smart phones are smarter than the old mainframes, and documents are now routinely digitized and stored and perhaps even analyzed in the cloud, among many other changes. The report focuses on why the Privacy Act needs an update that will bring it into this century, and how that could look and work. This work was written by Robert Gellman, and informed by a two-year multi-stakeholder process.

Consumer Alert: Significant medical data breach impacts 4.5 million patients

Community Health System suffers sophisticated attack from hackers

Related info:

How to place a security (credit) freeze, from WPF

Detailed breach information from Community Health System’s SEC filing (8-K, August 18, 2014):