Community Health Services Data Breach
What You Should Know about the Potential Health Data Breach
The Department of Homeland Security recently became aware that Community Health Systems suffered a data breach as a result from an external cyber attack, known as an Advanced Persistent Threat (APT). APTs are sophisticated, long-term attacks usually targeting a specific company or entity. Community Health Systems believes that these may have compromised the personal information of 4.5 million patients. The compromised information includes patient names, birth dates, addresses, telephone numbers, and social security numbers. The information does not include personal medical information or credit card numbers. Community Health Systems is working with a third party security vendor to lessen the effects of the breach, and will notify affected patients and offer identity theft protection services to affected individuals.
Unfortunately, the health sector – which possesses a lot of intellectual property data and personally identifiable information – is a common target for cyber criminals. The Department of Homeland Security is working with the FBI and the Department of Health and Human Services to assist in sharing specific vulnerabilities and mitigations with the healthcare industry to prevent additional breaches from occurring.
Tips for Consumers
If you are a patient with Community Health Systems, look for notification from the company on whether you were affected, and additional information on identity theft protection services.
If you believe you may have been a victim of this data breach or other Internet crimes, US-CERT recommends that you file a complaint with the Federal Bureau of Investigation’s Internet Crime Complaint Center at http://www.ic3.gov.
Cyber criminals can use personal information, such as the types of information compromised in this attack, to steal people’s identities and access their banking, shopping, social media, and other personal accounts. To protect yourself, practice safe online behavior and follow these cyber hygiene tips from the DHS Stop.Think.Connect. ™ Campaign:
- Choose strong passwords and change them often. A strong password uses a combination of letters, numbers, and symbols (when allowed) and does not include a person’s name or other commonly known information such as their children or pet’s names.
- Do not use the same password for multiple accounts.
- Criminals will often use high profile incidents like this data breach to conduct scams such as fake identity theft services or using personal information to pretend to be a legitimate company. Be aware of possible phishing attempts. If you receive an email prompting you to change your account password claiming to be from your email provider, bank, or another website you frequently make sure the email is legitimate. To be safe, go directly to websites to change your password, and type the link yourself rather than clicking on links embedded in emails.
- Be on the lookout for other people accessing your personal accounts. Monitor email and social media accounts for suspicious messages or messages appearing from you, but that you did not send. Monitor bank and credit card accounts for unauthorized charges.
- Request a free credit report to ensure no unauthorized accounts have been opened in your name.
- Small and medium sized businesses, such as medical care providers, may have been affected by this breach as well. All businesses, regardless of size, should examine their current cybersecurity practices and work to improve the safety of their data. DHS has many resources to help businesses assess and improve their cybersecurity. More information can be found via the DHS Critical Infrastructure Cyber Community (C3) Voluntary Program at https://www.us-cert.gov/ccubedvp/getting-started-business.
What Does Heartbleed Mean for You?
You may have recently read articles about the Heartbleed bug and how it has the potential to compromise every password you use to access Internet sites. This bug is found in software called OpenSSL, which helps make sure the information you send to web sites is secure. If the Heartbleed bug affected a website where you have to login—such as your email, online banking, online shopping, or social media—then a cyber criminal could have learned your user name and password. That criminal could then use your username and password to log into the same website. (Remember that this is only true if the website has the Heartbleed bug.)
About the Heartbleed Bug
Heartbleed is a vulnerability in the encryption technology that many websites use to protect information, such as names, addresses, passwords, and credit cards numbers. The vulnerability has been found in several websites for email, banking, online shopping, and social networking that use OpenSSL software. The bug can allow someone to obtain data provided over the Internet even if the site appears to be secure, i.e., the URL begins with “https://” or “shttp://". Even if the padlock symbol is displayed in the URL bar, this bug means that the site may still be unsecure. There is a patch for this vulnerability in the OpenSSL encryption software that websites can implement to fix the problem and many websites have already implemented the patch. It is also important to understand that this is a fluid situation and the scope and scale will continue to evolve as we dig deeper into the vulnerability.
Tips for Consumers
Many major websites are telling their users to change their passwords immediately. Other sites have made it clear to users that they were unaffected and that user information is safe.
The Department of Homeland Security’s Stop.Think.Connect.™ Campaign offers these tips to consumers to help protect themselves from Heartbleed and other potential vulnerabilities:
Check to see if websites you frequently use were ever vulnerable to Heartbleed. Many websites are posting this information on their website. Others may proactively reach out with emails (however, be wary of spearphishing scams as noted below). There are also third-party websites that allow you to check on a site’s vulnerability. If you are not sure if a website has taken the appropriate actions or was vulnerable, you may also try contacting their customer service directly.
- Website providers need to take several actions to protect their sites if they were affected. Change your password once you’ve confirmed that those affected websites have taken all the steps necessary to make the website secure. Begin with the sites that contain your most sensitive personal information, such as banking and credit card websites, email, and social media accounts.
- If you re-use the same password for multiple websites, you should change that password at every website, even if that website wasn’t vulnerable. It’s good practice to have a different password for every website. If you did not re-use your password and a website was never vulnerable to Heartbleed, you do not need to change your password for that site.
- Be aware of possible phishing attacks. If you receive an email claiming to be from your email provider, bank, or another website you frequently log onto prompting you to change your password, make sure the email is legitimate. To be safe, go directly to websites to change your password, and type the link yourself rather than clicking on links embedded in emails.
- Closely monitor your credit and accounts for suspicious activity. Keep an eye out for purchases you didn’t make, or messages you didn’t send or post over the next few weeks.
- Ensure websites that require personal information are secure. Whenever a website requires you to provide personal information, such as your credit card or bank account number, make sure the URL begins with “https://” or “shttp://".
The Stop.Think.Connect.™ Campaign is a national public awareness campaign aimed at increasing the understanding of cyber threats and empowering the American public to be safer and more secure online. For more cyber resources and tips, please visit www.dhs.gov/stopthinkconnect.
Think about how many times you have gone online in the past week. What did you do while online? Check your email? Track your finances? Share pictures and videos? The Internet today has become an invaluable resource in both our professional and personal lives. However, as technology advances, so do the techniques cybercriminals use to gain access to our computer networks. If each of us becomes more aware of cybersecurity risks and implements a few simple steps, we can all make a big difference. Below find resources to help you get started.
The Stop.Think.Connect. Toolkit provides tools to host your own cybersecurity awareness discussion or activity. Download the Toolkit materials that are right for you.
Get tips on how to protect yourself, your families, and members of your community against potential cyber threats. Read our cyber tips.
View informational and educational videos from the Stop.Think.Connect. Campaign and its partners.
Multilingual Resources Stop.Think.Connect. resources have been translated into several languages. Check out our multilingual resources here.
The Campaign is partnering with a number of organizations to help keep you and your family safe. See our list of recommended additional resources.