Community Health Systems sheepishly said that the attack occurred in April and June of this year, but it was not until July that it was finally spotted.
It told the US Securities and Exchange Commission that the attack was carried out by a group based in China that used “highly sophisticated malware” to attack its systems.
The attacker was able to bypass the company’s security measures and successfully copy and transfer certain data outside the company.
The group is apparently known to US federal law enforcement authorities, which are now investigating.
Stolen were patient names, addresses, birthdates, telephone numbers and Social Security numbers of the 4.5 million people who were referred to or received services from doctors affiliated with the company in the last five years.
However the stolen data did not include patient credit card, medical or clinical information, but still ranks as the second largest disclosed attack to hit the US medical industry in the last few years.
What is still not clear is why the Chinese government would want the medical details of 4.5 million, it is not really as if it could benefit from any ID fraud. However it might be a Chinese criminal gang.