Crestwood Medical Center to send letters to patients affected by hack, offer free identity theft protection

This is an archived article and the information in the article may be outdated. Please look at the time stamp on the story to see when it was last updated.

HUNTSVILLE, Ala. (WHNT) - Crestwood Medical Center, owned by Community Health Systems, released a statement Monday following news CHS hospitals had fallen victim to computer hackers.

The news means data was stolen on 4.5 million patients, including patients who were seen at Crestwood in recent years.

Crestwood said all affected patients are being notified by letter and will be offered free identity theft protection.

Crestwood's statement follows:

Limited personal identification data belonging to some patients who were seen at some Crestwood employed physician practices and clinics affiliated with Crestwood Medical Center over the past five years was transferred out of the CHS system in a criminal cyber attack by a foreign-based intruder. The transferred information did not include any medical information or credit card information, but it did include names, addresses, birthdates, telephone numbers and social security numbers.

We take very seriously the security and confidentiality of private patient information and we sincerely regret any concern or inconvenience to patients. Though we have no reason to believe that this data would ever be used, all affected patients are being notified by letter and offered free identity theft protection.

Our organization believes the intruder was a foreign-based group out of China that was likely looking for intellectual property. The intruder used highly sophisticated methods to bypass security systems. The intruder has been eradicated and applications have been deployed to protect against future attacks. We are working with federal law enforcement authorities in their investigation and will support prosecution of those responsible for this attack.

Many American companies and organizations have been victimized by foreign-based cyber intrusions. It is up to the Federal Government to create a national cyber defense that can prevent this type of criminal invasion from happening in the future.


  • ramonamom

    Ummm, did you leave out an important word in the title?!! Shouldn’t this say “identity theft PROTECTION”?!

  • Ray

    “Crestwood Medical Center to send letters to patients, offer free identity theft following data hack”
    Hmmm, they are offering Free Identity theft to the ones who whose records were hacked? Wow thats a double wammy…..

  • Andrew

    I am disappointed that Crestwood did not take responsibility for their data. By claiming that the Federal Government is responsible for defense from cyber-attacks they are claiming that they are not responsible for the theft. In my opinion, defense from cyber-attacks is the responsibility of those who store the data. They shouldn’t store any data that they are not willing to fully defend.

  • Will

    Crestwood should take responsibility and not attempt to place blame on the Federal Government. Their IT staff should patch and run vulnerability checks to secure their computer systems. THEY should also STOP asking people for their Social Security numbers multiple times on every form that they hand out. Where do all of those paper copies go? Why do they need your SSN when they have your DL, you INS card, address, employer, etc. The GOVERNMENT has recommended as a best practice that SSN’s not be collected/used by businesses for ID purposes, and yet everybody from the local gym to major corporations ask for this information. If THEY collect it, THEY should be responsible for it and held accountable for breeches.

  • JLDW

    CHS: “The intruder used highly sophisticated methods to bypass security systems.”
    That statement is a total lie and CHS knew it when they released it. It was Heartbleed from a few months back. Here is a quote from the tech website
    “Juniper issued updates for their devices 23 days after the issue was publicly revealed. But like other networking vendors, releasing the patches wasn’t the final step – organizations had to apply said patches in order for the issue to even being to be mitigated.
    It isn’t clear why the CHS device wasn’t patched, and the company has made no additional statements.”
    Here are 2 sites reporting on the breach.

  • Chris

    The statement “It is up to the Federal Government to create a national cyber defense that can prevent this type of criminal invasion from happening in the future” indicates Crestwood Medical Center will allow government agencies (i.e. DHS) access to their networks to ensure appropriate protection measures. IF this is the case, has Crestwood contacted DHS? If not the case (as I assume) the statement needs to be publicly recinded.

Comments are closed.