NEW YORK (CNNMoney) — Community Health Systems, which operates 206 hospitals across the United States, announced on Monday that hackers recently broke into its computers and stole data on 4.5 million patients.
Hackers have gained access to their names, Social Security numbers, physical addresses, birthdays and telephone numbers.
Anyone who received treatment from a network-owned hospital in the last five years — or was merely referred there by an outside doctor — is affected.
The large data breach puts these people at heightened risk of identity fraud. That allows criminals to open bank accounts and credit cards on their behalf, take out loans and ruin personal credit history.
The company’s hospitals operate in 28 states but have their most significant presence in Alabama, Florida, Mississippi, Oklahoma, Pennsylvania, Tennessee and Texas.
Community Health Systems operates 11 hospitals in Alabama:
-Crestwood Medical Center in Huntsville — Read Crestwood’s statement
-DeKalb Regional Medical Center in Fort Payne
-Cherokee Medical Center in Centre
-Gadsden Regional Medical Center in Gadsden
-Riverview Regional Medical Center in Gadsden
-Stringfellow Memorial Hospital in Anniston
-Trinity Medical Center of Birmingham
-L.V. Stabler Memorial Hospital in Greenville
-Medical Center Enterprise in Enterprise
-Flowers Hospital in Dothan
-South Baldwin Regional Medical Center in Foley
Do you believe your personal information was stolen? Scroll down for important steps to take.
Community Health Systems hired cybersecurity experts at Mandiant to consult on the hack. They have determined the hackers were in China and used high-end, sophisticated malware to launch the attacks sometime in April and June this year.
Federal investigators and Mandiant told the hospital network those hackers have previously been spotted conducting corporate espionage, targeting valuable information about medical devices.
But this time, the hackers stole patient data instead. Hackers did not manage to steal information related to patients’ medical histories, clinical operations or credit cards.
Still, the lost personal information is protected by the Health Insurance Portability and Accountability Act, the federal health records protection law. That means patients could sue the hospital network for damages.
Shares of the publicly-traded Community Health Systems edged lower Monday morning. But the company tried to stem worries about the damages in a filing Monday with the Securities and Exchange Commission, saying that it “carries cyber/privacy liability insurance to protect it against certain losses related to matters of this nature.”
The hospital network said that, it managed to wipe the hackers’ malware from its computer systems and implemented protections to prevent similar break-ins.
The network plans to offer identity theft protection to the 4.5 million victims of the data breach.
What to do if you believe your information has been stolen:
If you get a notice that your personal information may have been compromised, taking certain steps quickly can minimize the potential for the theft of your identity. If the stolen information includes your financial accounts, take steps to address compromised credit card accounts immediately. Consult with your financial institution about whether to close bank or brokerage accounts immediately or first change your passwords and have the institution monitor for possible fraud.
If the stolen information includes your Social Security number, call the toll-free fraud number of any one of the three nationwide consumer reporting companies and place an initial fraud alert on your credit reports. This alert can help stop someone from opening new credit accounts in your name. Equifax: 1-888-766-0008; www.equifax.com; P.O. Box 740241, Atlanta, GA 30374-0241 Experian: 1-888-EXPERIAN (397-3742); www.experian.com; P.O. Box 2002, Allen, TX 75013 TransUnion: 1-800-680-7289; www.transunion.com; Fraud Victim Assistance Division, P.O. Box 6790, Fullerton, CA 92834-6790 An initial fraud alert stays on your credit report for 90 days.
When you place this alert on your credit report with one nationwide consumer reporting company, you’ll get information about ordering one free credit report from each of the companies. It’s prudent to wait about a month after your information was stolen before you order your report. That’s because suspicious activity may not show up right away. Once you get your reports, review them for suspicious activity, like inquiries from companies you didn’t contact, accounts you didn’t open, and debts on your accounts that you can’t explain. Check that information – like your SSN, address(es), name or initials, and employers – is correct. If the stolen information includes your driver’s license or other government-issued identification, contact the agencies that issued the documents and follow their procedures to cancel a document and get a replacement. Ask the agency to “flag” your file to keep anyone else from getting a license or another identification document in your name.
Watch for signs that your information is being misused. For example, you may not get certain bills or other mail on time. Follow up with creditors if your bills don’t arrive on time. A missing bill could mean an identity thief has taken over your account and changed your billing address to cover his tracks. Other signs include: receiving credit cards that you didn’t apply for; being denied credit, or being offered less favorable credit terms, like a high interest rate, for no apparent reason; and getting calls or letters from debt collectors or businesses about merchandise or services you didn’t buy.
The fastest growing form of Identify Theft has been Tax ID related theft. If you believe someone may have obtained your social security number, be sure to file tax returns early each year, to avoid someone attempting to file a bogus return using your number before yours is filed.
Continue to read your financial account statements promptly and carefully, and to monitor your credit reports every few months in the first year of the theft, and once a year thereafter.You are eligible for a free copy of your credit report from each of the 3 major credit reporting agencies each year by visiting http://www.annualcreditreport.com or by calling 877-322-8228.
If your information has been misused, file a report about your identity theft with the police, and file a complaint with the Federal Trade Commission at www.consumer.gov/idtheft