Community Health Systems Breach

In spring of 2014, Community Health Systems (CHS), an operator of 206 hospitals in the United States experienced a very large breach. The attack lasted for two months from April to June. The attackers are believed to be a foreign group and used a very sophisticated malware to steal information from hospital patients.

Data from 5.4 million patients was stolen including names, dates of birth, social security numbers, addresses, emails and much more.

This data had been sitting in the company systems for the past 5 years. Once the hackers were able to bypass the security systems CHS had in place using this malware, the data was theirs. This sensitive information can be used in a variety of forms when it reaches the wrong hands resulting in major costs for the company.

For CHS, the cost was between $75 and 150 million. These costs included remediation, regulatory fines, litigation, identity theft protection programs and more. A more complex breach prevention strategy and a more efficient response would’ve drastically reduced these costs for CHS. This is an important lesson for companies everywhere who are holding sensitive client information.

What Forms do Security and Privacy Breaches take?

A breach can happen because of many different factors. They can be intentional attacks or innocent mistakes. In 2014, cyber breaches were classified into nine categories. Below these categories are listed and a brief description of each one is provided.

POS Intrusions
Remote attack against the place where retail transactions occur, specifically where cards are used.

Crime ware
Malware infections within organizations that isn’t associated with more specialized classification patterns.

Thieves use computer networks to gain access to confidential information. Typically this crime is used to access high-profile information.

Insider Misuse
Employee with access to passwords and other security information abuses the access they’ve been privileged with, usually for personal gain.

Web App Attacks
Stealing info from customer devices and then logging into their web applications using these stolen credentials.

Miscellaneous Errors
Errors made by internal staff, especially system administrators, that lead to the exposure of private data.

Physical Theft or Loss
Devices in the workplace go missing and thieves are able to use them.

Payment Card Skimmers
Thieves put very thin skimmers inside the card reader slots and capture future customer data.

Denial of Service
A malicious attempt to make a server or a network resource unavailable to users, usually by temporarily interrupting or suspending the services of a host connected to the Internet.

The above incidents appear in order of the frequency that they occurred in 2014. POS intrusions were the most frequent attacks as retail outlets were targeted regularly.

A Breach Risk Misconception

The riskiness of a security or privacy breach is far more than just the number of records involved. There are countless examples of hospitals and hospital chains that suffered millions in losses because of breaches involving a small amount of records.

A great example of this risk just recently occurred. A large and well-managed chain of hospitals, with adequate protocols and controls was slapped with a multi-million dollar lawsuit. The highlight of this example is not the lawsuit itself, but the fact that the lawsuit stemmed from two different and unrelated 1-record breaches. One record was exposed to a party who it was not supposed to be exposed to and the result was millions of dollars in costs for this company. These costs are only related to litigation.

Several other tangible and intangible costs were incurred for regulatory non-compliance, reputational damage, firm disruption, etc. Firms that aren’t properly prepared to manage a breach leave themselves very susceptible to this risk.