Four Southern West Virginia hospitals were among more than 200 nationwide targeted in a cyber attack by a foreign-based intruder. The four affected hospitals – Bluefield Regional Medical Center, Plateau Medical Center in Oak Hill, Williamson Memorial Hospital and the Greenbrier Valley Medical Center – are controlled by Community Health System (CHS), based in Franklin, TN. The hackers took information of more than 4 million patients from its computer network. The company said in a filing with the U.S. Securities and Exchange Commission on Aug. 25 that the information was taken possibly in April and June of this year.
As stated in a press release from the Greenbrier Valley Medical Center (GVMC), “We take very seriously the security and confidentiality of private patient information and we sincerely regret any concern or inconvenience to patients. Though we have no reason to believe that this data would ever be used, all affected patients are being notified by letter and offered free identity theft protection.”
The theft was limited to personal identification data belonging to some patients who were seen at physician practices and clinics affiliated with Greenbrier Valley Medical Center over the past five years, stated Kimberly Estep, marketing director with GVMC, which included patient names, addresses, birth dates, telephone numbers and Social Security numbers. She emphasized that no medical or credit card records were taken in the attack.
The theft is believed to have originated from China using sophisticated malware and technology to bypass security systems and get the information they wanted, most likely intellectual property. GVMC says the intruder has been eradicated and applications have been deployed to protect against future attacks. They are working with federal law enforcement authorities in their investigation and will support prosecution of those responsible for this attack.
In a statement from West Virginia Attorney General Patrick Morrisey’s office, people are advised to “be on the lookout for things like being billed for medical items you never ordered or received, or if you’re being billed multiple times for certain procedures or items.” He advised people who think they might be affected to check their credit reports and credit card billing statements carefully. Morrisey emphasized the breach affected only clinics and physicians’ offices, and not the hospitals directly, and that no medical, health or financial information was stored on the data servers that were hacked.
The following clinics were affected:
– Oak Hill Clinic Corp.
– Oak Hill Hospital orp.
– Bluefield Clinic Company, LLC
– Greenbrier Valley Anesthesia, LLC
– Greenbrier Valley Emergency Physicians
– Ronceverte Physician Group