Community Health Systems (CHS), one of the largest hospital chains in the United States, recently suffered a cyberattack that resulted in the unauthorized disclosure of patient data. The incident, which was caused by a security breach at a third-party vendor of the company, Fortra, has affected around one million individuals.
Fortra provides a secure file transfer software called GoAnywhere to CHS affiliates. According to a filing with the SEC, due to the security breach experienced by Fortra, protected health information (PHI) and personally identifiable information (PII) of certain patients of the company's affiliates were exposed by the attacker.
The company launched an investigation upon receiving notification of the security breach to determine whether any of its information systems were affected and whether PHI or PII had been unlawfully accessed by the attacker. While the investigation is still ongoing, the company has stated that it does not believe the Fortra breach has had any impact on any of its information systems and that there has not been any material interruption of its business operations, including the delivery of patient care.
The company has said that appropriate notification will be provided to any individuals affected by the attack, as well as to regulatory agencies as required by federal and state law. Additionally, identity theft protection services will be offered to individuals affected by the attack. The company carries cyber/privacy liability insurance to protect it against certain losses related to matters of this nature. However, the company may have incurred, and may incur in the future, expenses and losses related to this incident that are not covered by insurance.
While the company is continuing to measure the impact, including certain remediation expenses and other potential liabilities, it does not currently believe this incident will have a material adverse effect on its business, operations, or financial results. However, the incident does highlight the potential risks associated with third-party vendors and the need for companies to have robust cybersecurity measures in place to protect their sensitive data.
This incident is just one of many recent cyberattacks targeting the healthcare sector, which has become an increasingly attractive target for cybercriminals due to the sensitive nature of the data that healthcare providers hold. Healthcare providers must take all necessary steps to ensure the security and privacy of patient data and to protect themselves from potential cyber threats.