In April of this year, the FBI issued a Private Industry Notification (PIN) to the health care industry warning of the “likely increase [in] cyber intrusions against health care systems.” In the same month, and into June of this year, a group of hackers originating from China were launching a cyber-attack on the records of Community Health Systems, Inc., a health system headquartered in Franklin, Tennessee and the second largest for-profit health system in the United States. The breach was reported earlier this week and resulted in unauthorized access to the names, addresses, birth dates, telephone and social security numbers of 4.5 million patients. Although no clinical data was stolen, the patient information is protected under HIPAA, and the health system could face substantial monetary penalties for what could be the largest health data breach to date.
The breach and the FBI’s April PIN serve as important reminders of the vulnerabilities health care organizations face as they transition to electronic health records, and the importance of implementing a vigorous HIPAA compliance program to protect patient information.