"The transferred information did not include any medical information or credit card information, but it did include names, addresses, birthdates, telephone numbers and social security numbers," explained NMS spokesperson Pat Driscoll, in a statement.
"The social security number, that really is the skeleton key to your credit," says Mark Foster, Director of Education for Credit Counseling of Arkansas.
Foster constantly warns people to protect that number, but in this case, patients didn't have much of a choice.
"Going to the doctor, going to the hospital, you're kind of stuck," he says. "You have to provide that information, and you just pray that it isn't compromised in any way."
Northwest Health System says the data theft includes the personal information of patients who were seen by employed physician's clinics over the last five years.
"The big thing you want to do is check your credit report and see if there's anything on there that should not be on there," Foster says. "If they believe they've been a victim of fraud, they can go just directly to the credit bureaus, Experian, Equifax or Transunion, and get a fraud alert put on their file."
Foster says signing up for fraud alert can help, but it's not a perfect tool.
"The fraud alert, potential lenders are supposed to notify you if they see that on there before they extend credit in your identity, but by law they're not required to," he says. "They might extend credit anyway."
Instead, he suggests a credit file freeze.
"No one can open it up and get credit in your identity unless you unlock it with a pin number," he says. "There may be a $5 charge for you on that, there are some exceptions, but it's it's pretty affordable, and it can help make sure that no one gets in there and does any damage to your credit."
Any patients affected by the breach will be notified by letter and offered free identity theft protection.
"Our organization believes the intruder was a foreign-based group out of China that was likely looking for intellectual property. The intruder used highly sophisticated methods to bypass security systems. The intruder has been eradicated and applications have been deployed to protect against future attacks. We are working with federal law enforcement authorities in their investigation and will support prosecution of those responsible for this attack."
The Northwest Medical Systems security breech was a part of larger hack of Community Health Systems (CHS), which operates 4 hospitals in northwest Arkansas and two in the River Valley. The company announced on Monday that hackers recently broke into its computers and stole data on 4.5 million patients nationwide.
CHS operates a total of 206 hospitals across the United States. Hackers have gained access to their names, Social Security numbers, physical addresses, birthdays and telephone numbers.
Anyone who is affected by the hack will be contacted by letter. Silaom Springs Regional Hospital, Willow Creek Women's Hospital (Johnson), Northwest Medical Center (Springdale), Northwest Medical Center (Bentonville), Sparks Regional Medical Center (Fort Smith), Summit Medical Center (Van Buren) are all included in the CHS system.
A spokesperson for Sparks Regional Medical Center and Summit Medical Center says none of the clinics affiliated with these hospitals were affected by the data breach reported yesterday by Community Health Systems.
The large data breach puts these people at heightened risk of identity fraud. That allows criminals open bank accounts and credit cards on their behalf, take out loans and ruin personal credit history.
The company's hospitals operate in 28 states but have their most significant presence in Alabama, Florida, Mississippi, Oklahoma, Pennsylvania, Tennessee and Texas.
Community Health Systems hired cybersecurity experts at Mandiant to consult on the hack. They have determined the hackers were in China and used high-end, sophisticated malware to launch the attacks sometime in April and June this year.
The FBI said it's working closely with the hospital network and "committing significant resources and efforts to target, disrupt, dismantle and arrest the perpetrators."
Federal investigators and Mandiant told the hospital network those hackers have previously been spotted conducting corporate espionage, targeting valuable information about medical devices.
But this time, the hackers stole patient data instead. Hackers did not manage to steal information related to patients' medical histories, clinical operations or credit cards.
Still, the lost personal information is protected by the Health Insurance Portability and Accountability Act, the federal health records protection law. That means patients could sue the hospital network for damages.
As for exposed victims protecting themselves? There's little they can do.
Making matters worse, Community Health Systems said it will provide notification to the 4.5 million patients "as required by federal and state law," which is inconsistent and varies by region. There is no federal data breach law that requires timely and transparent disclosure that sensitive personal information was lost.
Shares of the publicly-traded Community Health Systems edged lower Monday morning. But the company tried to stem worries about the damages in a filing Monday with the Securities and Exchange Commission, saying that it "carries cyber/privacy liability insurance to protect it against certain losses related to matters of this nature."
The hospital network said that just before Monday's announcement, it managed to wipe the hackers' malware from its computer systems and implemented protections to prevent similar break-ins.
The company plans to offer identity theft protection to the 4.5 million victims of the data breach.
NORTHWEST ARKANSAS -- Northwest Health Systems says some local hosptials The Limited personal identification data belonging to some patients who were seen at physician practices and clinics affiliated with Northwest Health System over the past five years was transferred out of our organization in a criminal cyber-attack by a foreign-based intruder. The transferred information did not include any medical information or credit card information, but it did include names, addresses, birthdates, telephone numbers and social security numbers.
We take very seriously the security and confidentiality of private patient information and we sincerely regret any concern or inconvenience to patients. Though we have no reason to believe that this data would ever be used, all affected patients are being notified by letter and offered free identity theft protection.
Our organization believes the intruder was a foreign-based group out of China that was likely looking for intellectual property. The intruder used highly sophisticated methods to bypass security systems. The intruder has been eradicated and applications have been deployed to protect against future attacks. We are working with federal law enforcement authorities in their investigation and will support prosecution of those responsible for this attack.
Many American companies and organizations have been victimized by foreign-based cyber intrusions. It is up to the Federal Government to create a national cyber defense that can prevent this type of criminal invasion from happening in the future.