The number of hacks this year alone has to be getting extremely close to the size of Santa's naughty or nice list.
According to CNN Money today, the computers of Community Health Systems, a large hospital provider in the United States, were recently hacked resulting in the theft of 4.5 million patient records. But, unlike many of the high profile attacks in the past year, almost everything about each patient was absconded. Hackers have effectively stolen names, Social Security numbers, physical addresses, birthdays and telephone numbers of patients that have been treated by any of its 206 hospitals in the last 5 years. For some reason the hackers chose not to steal patient's medical histories, clinical operations, or credit card numbers.
Per the CNN Money report, the result can be extremely serious, allowing the criminals to open bank accounts, take out loans, and successfully apply for new credit cards using the stolen information.
Community Health Systems has hired a security firm to work the case, which has already resulted in information. The hackers were China-based and the attacks happened in April and June of this year.
If you were a patient in a Community Health Systems hospital in the last five years, you can expect a notification – eventually. Federal and state law requires notifications to be sent out, however the laws are inconsistent in the timing for notifications and the transparency of the message.
The entry point of the attack? Malware. According to the hospital network, it only, finally, removed the malware just prior to today's public reveal. Why it took the organization so long to act is in question. The FBI warned the industry about lax security in April of 2014, right about the time the first attack happened.
Does Community Health Systems care that patient information was stolen due to a lack of responsibility? The organization only stated that it is insured against such losses and does not at this time expect a material adverse effect on financial results. Classic.
Maybe, it's about time we realize that real security is as much fantasy as Santa is a fictional character (shhh…don't let your kids read that).