Full Text

The lesson for healthcare executives from the news last week that Community Health Systems suffered the worst electronic records hack in healthcare privacy history is that constant vigilance--and lots more money--are needed to keep the same type of catastrophic breach from happening to their organizations.

An outside group of hackers targeted the Franklin, Tenn.-based hospital chain's computer network and stole nonmedical data on 4.5 million patients, the company disclosed last week in a regulatory filing.

CHS, which has 206 hospitals in 29 states, said in the filing that a group originating in China used sophisticated malware and technology in the criminal attack and represents an "advanced persistent threat." It said these hackers typically search for intellectual property on medical devices and other equipment, but instead stole personal data on patients who had sought care from its physician practices.

The data included names, addresses, birthdates, telephone numbers and Social Security numbers--all of which are protected under the Health Insurance Portability and Accountability Act--and are valuable to identity thieves. The CHS data breach, if posted to the "wall of shame" website where major healthcare-record breaches are kept on public display by the Office for Civil Rights at HHS, will be larger than all but one...