SARASOTA COUNTY, Fla. -- The largest known cyber-attack involving patient information could have an impact here on the Suncoast.
More than 4.5 million patients of Community Health Systems, Inc. could have had their social security number and other personal data exposed. Local hospitals in that system include Bayfront Health Punta Gorda, Bayfront Health Port Charlotte, and Venice Regional Bayfront Health.
Venice Regional confirms that "limited data" of patients seen at physician practices and clinics associated with the hospital over the past five years was “transferred out in a criminal cyber-attack.”
A statement by the hospital says that “the transferred information did not include any medical information or credit card information, but it did include names, addresses, birthdates, telephone numbers and social security numbers."
ABC 7 talked to one local company whose job it is to search and protect online. They say patients and the rest of us do have a reason to be concerned.
From his Sarasota office, former NSA analyst John Jorgensen can watch cyber-attacks on firewalls from around the world in real time. As the President and CEO of Sylint Cyber Security, he's up to date on the largest one ever aimed at getting the info of patients. "Apparently the analysis of the breach so far is that medical records were not garnered, which is a good thing. None the less, it does put all the names and social security numbers onto the internet."
The cyber intelligence community is unsure if the attack, which apparently came out of China, was a trial run or aimed to buy prescription drugs online, or get info on people in power -- or maybe just to sell those Social Security numbers on the black market. "There is no telling really until you start seeing the use of that information."
There’s certainly some cause for concern there. "Yes, you should be concerned. And yes, you should consider whether or not when you were talking to the hospital you have up any passwords or pin numbers or financial information. If you have, go change it."
CHS says they have no reason to believe the info will be used and is offering free identity theft protection.
Jorgensen says those types of programs can only do so much. “Some of those things do help, but you have to remember all of them are reporting after the fact."
In April, the FBI warned the medical industry its protections were soft, making it vulnerable.
Jorgensen says it's not the only area where there are concerns. "Right now the United States doesn't realize how vulnerable it is and what a target it is."
He says there are ways to protect, like encryption programs, but it comes with a cost. "It's a case of whether or not people are willing to spend the money to implement the care that is necessary."
The full statement from Venice Regional Bayfront Health is as follows:
Limited personal identification data belonging to some patients who were seen at physician practices and clinics affiliated with Venice Regional Bayfront Health over the past five years was transferred out of our organization in a criminal cyber attack by a foreign-based intruder. No data from the hospital was affected. The transferred information did not include any medical information or credit card information, but it did include names, addresses, birthdates, telephone numbers and social security numbers.
We take very seriously the security and confidentiality of private patient information and we sincerely regret any concern or inconvenience to patients. Though we have no reason to believe that this data would ever be used, all affected patients are being notified by letter and offered free identity theft protection.
Our organization believes the intruder was a foreign-based group out of China that was likely looking for intellectual property. The intruder used highly sophisticated methods to bypass security systems. The intruder has been eradicated and applications have been deployed to protect against future attacks. We are working with federal law enforcement authorities in their investigation and will support prosecution of those responsible for this attack.
Many American companies and organizations have been victimized by foreign-based cyber intrusions. It is up to the Federal Government to create a national cyber defense that can prevent this type of criminal invasion from happening in the future.