Community Health Systems (CHS) has announced that the personal information of approximately 4.5 million patients has been breached.  According to CHS, the information includes patient names, addresses, social security numbers, telephone numbers, and birthdates.

Although the breached records do not contain the details of the patients’ treatment at CHS’ hospitals, the identifying information in the records still meets the HIPAA definition of “protected health information.”  Therefore, CHS will have to follow the HIPAA breach notification requirements.

According to CHS’ filing with the Securities and Exchange Commission, CHS has hired the data security firm, Mandiant, to investigate the breach.  Mandiant has pointed blame at a group originating from China who apparently orchestrated the breach through the use of sophisticated malware.

This large breach should be another reminder for health care providers to safeguard their electronic systems and educate staff members on security policies and procedures.  The type of malware that contributed to the CHS breach can often be installed by a staff member who clicks on a link in an e-mail, or responds to an e-mail from hackers who pose as security personnel.  In addition, health care providers should consider the use of encryption technology that meets the HIPAA breach safe harbor standards.

When in doubt about a suspicious e-mail, phone call, or other communication, staff members should always check with the provider’s information technology personnel and the HIPAA Privacy Officer before taking any action.

If you have any questions about the HIPAA breach notification requirements, please contact Casey Moriarty.