Data Breach Notification
A Note from Andi Bosshart, SVP, Corporate Compliance and Privacy Officer
PLEASE NOTE: We will NOT call or email anyone requesting any personal information as a result of this situation. If you receive an unsolicited call or email that appears to be from CHSPSC, LLC, Community Health Systems, your local hospital or physician office, please do not provide any personal information in response to these calls or emails.
On behalf of CHSPSC, LLC, I want to express sincere regret to the patients of affiliated physician practices and clinics whose data was accessed in a foreign-based cyber-attack of our computer network. We value the trust you have placed in us for your care and it is our priority to ensure those who were affected by this attack are notified about the breach and have their questions answered. If you were affected by the data breach, you will receive a letter with more information and a toll-free number to call to learn about the free credit monitoring and identity theft consultation and restoration services offered to affected patients. The following notice contains more details about the breach, measures we are taking to notify you, and how we are improving the way we protect health your information.
In July 2014, CHSPSC, LLC confirmed its computer network was the target of an external criminal cyber-attack in April and June 2014. CHSPSC, LLC, a Tennessee company, provides management, consulting, and information technology services to certain clinics and hospital-based physicians in this area.
CHSPSC, LLC believes the attacker was an “Advanced Persistent Threat” group originating from China, which used highly sophisticated malware technology to attack CHSPSC, LLC’s systems. The intruder was able to bypass the company’s security measures and successfully copy and transfer some data existing on CHSPSC, LLC’s systems.
Since first discovering the attack, CHSPSC, LLC has worked closely with federal law enforcement authorities in connection with their investigation of the matter. CHSPSC, LLC also engaged an outside forensic expert to conduct a thorough investigation and remediation of this incident. CHSPSC, LLC has implemented efforts designed to protect against future intrusions. These efforts include implementing additional audit and surveillance technology to detect unauthorized intrusions, adopting advanced encryption technologies, and requiring users to change their access passwords.
The majority of patients of clinics and hospital-based physicians affiliated with CHSPSC, LLC were not affected by this breach. Individuals whose information was taken in this cyber-attack will be mailed a letter informing them about the data breach and how to enroll in free identity theft protection and credit monitoring services. The data taken includes patients’ names, addresses, birthdates, social security numbers, and, in some cases, telephone numbers, and the names of employers or guarantors. However, to the best of CHSPSC, LLC’s knowledge, NO credit card information was taken and NO medical or clinical information was taken. CHSPSC, LLC recommends that you remain vigilant for incidents of fraud and identity theft by reviewing your credit report and accounts for unauthorized activity.
Anyone with questions about this cyber attack can call 1-877-223-3764 toll-free. For information on preventing identity theft or to report suspicious activity, contact the Federal Trade Commission at 1-877-438-4338 or get free information at www.ftc.gov.