Area Hospitals Allow Unchecked ‘Heartbleed,’ Leaving Patients Vulnerable to Identity Theft

Scartelli Olszewski P.C.

If you live in the Scranton Wilkes-Barre area and you’ve ever gone to the hospital, there’s a good chance that you could have your identity stolen in the near future.Read that again. It’s important; that’s why we put it in bold type.Shocked? Worried? You should be. You can thank Community Health Systems, whose pokey response to “Heartbleed,” a well-publicized digital security risk, allowed China-based cybercriminals to steal the personal information of 4.5 million patients. You may be one of them. Here’s why.Community Health Systems owns 206 hospitals in 29 states. Twenty hospitals in Pennsylvania have been affected by the data breach, including seven in the greater Scranton Wilkes-Barre region:

  • Berwick Hospital Center – Berwick
  • First Hospital Wyoming Valley – Kingston
  • Moses Taylor Hospital – Scranton
  • Regional Hospital of Scranton – Scranton
  • Special Care Hospital – Nanticote
  • Tyler Memorial Hospital – Tunkhannock
  • Wilkes-Barre General Hospital – Wilkes-Barre

If you’ve ever been a patient or ever visited any of these facilities for any kind of medical procedure, no matter how minor, the information you provided to the hospital during registration may now be in the hands of criminals.The same may be true if you’ve ever been a patient at a doctor’s office affiliated with one of the Community Health Systems hospitals.Your full name. Your address and phone numbers. Your birthdate. Your Social Security number. All the information that’s usually used to establish or confirm your identity when accessing or opening bank accounts or credit cards, when obtaining driver’s licenses, or in any number of other official capacities.That’s a lot to digest, so let’s recap: Since at least June (but maybe since April), a person or group based in China has possessed enough information about you to steal your identity—create a phony version of you—that could be used to open bank accounts, create ID cards, and sign documents in your name. Your information is out there now, and there’s no way to get it back.If you’re thinking it’s unlikely that a group of Chinese hackers is going to get a Visa card in your name and go on a Shanghai spending spree, you might be right, but that’s not why they stole your information. They probably stole it to sell it.That’s what’s already happened to more than 14,000 patients of hospitals in Ontario, Canada. They are scrambling to protect their identities after news emerged in June that a pair of hospital employees had stolen their personal data and sold it to financial services firms.

The health care firm that owns the affected Ontario hospitals claims there’s no evidence that the data has been distributed and even has refused to identify the responsible employees, who have since departed. The firm has relatively little interest in trying to protect their patients: they’re trying to protect themselves from liability.We confidently guess that also is the primary goal for Community Health Systems, because they could have prevented this breach from happening. They didn’t, and now you’re on the hook.The hackers got in by exploiting a network security bug called “Heartbleed,” which made big news in February 2014 when security researchers discovered it. Heartbleed exposed thousands of companies around the world to data theft, and a repair procedure was made freely available to everyone affected almost immediately.It appears that Community Health Systems, however, failed to use it in time. The Chinese operators were able to use the bug to obtain login credentials for doctors and hospital administrators, then log into the hospitals’ private networks using those accounts. Once inside, they were able to take almost anything they wanted, and that’s exactly what they did.What’s more, the company waited months to tell anyone that this had happened. They finally buried the news in a required regulatory filing with the Security and Exchange Commission (SEC) in August, several months after the initial security breach was discovered.Scartelli Olszewski has stayed abreast of this story as it has developed and stands ready to assist anyone whose life and finances have been turned upside-down by the negligence of Community Health Systems. If you think you’re one of those people, call us today.