Community Health Network, Inc.

Your Personal Info Could Be

Exposed Online After

This Hospital Breach

Breach Description

Community Health Network, Inc. (CHN) experienced a data breach that was first identified on September 19, 2023, when it was discovered that one email account within their network had been compromised by an unauthorized third party[1]. The breach was part of a larger incident involving the GoAnywhere managed file transfer (MFT) solution by Fortra, which was exploited due to a vulnerability (CVE-2023-0669). This vulnerability allowed unauthorized disclosure of company data, including the protected health information (PHI) of approximately one million individuals[3].

The compromised information included full names, addresses, medical billing and insurance information, certain medical information such as diagnoses and medication, and demographic information such as birthdates and Social Security numbers[8]. Community Health Systems (CHS), which operates 79 hospitals across 16 states, was one of the affected entities and began notifying up to 1 million individuals about the breach[12].

CHS took immediate action to investigate the breach, including determining the impact on their information systems and whether there was any material interruption of their business operations, including the delivery of patient care. While the investigation was ongoing, CHS believed that the breach did not impact any of the company’s information systems and that there had not been any material interruption of their operations[3].

Fortra patched the vulnerability on February 7, 2023, and CHS ensured that appropriate notifications would be provided to affected individuals, as well as to regulatory agencies as required by federal and state law. CHS also offered identity theft protection services to individuals affected by the attack[3].

It is important to note that there are multiple entities with similar names, such as Community Healthcare Network, Inc. (CHN) in New York City, which also reported a data privacy incident that may have impacted individuals’ information[4]. However, the breach involving the GoAnywhere MFT vulnerability specifically pertains to Community Health Systems and its affiliates[3][8][12].

Citations:

  1. https://www.ecommunity.com/notice-regarding-data-breach
  2. https://winknews.com/2023/05/12/data-breach-at-community-health-systems-puts-1-2-million-patients-at-risk/
  3. https://healthitsecurity.com/news/community-health-systems-impacted-by-data-breach-tied-to-goanywhere-mft-vulnerability
  4. https://www.chnnyc.org/notice-of-data-incident/
  5. https://www.ecommunity.com
  6. https://www.ecommunity.com/notice-third-party-tracking-technology-data-breach/faqs
  7. https://casetext.com/case/zd-v-cmty-health-network-inc-1
  8. https://www.bankinfosecurity.com/chs-to-notify-1-million-in-breach-linked-to-software-flaw-a-21405
  9. https://www.northwell.edu
  10. https://www.jdsupra.com/legalnews/community-healthcare-network-notifies-5438520/
  11. https://www.pahomepage.com/news/data-breach-impacts-community-health-systems-hospitals/
  12. https://www.hipaajournal.com/community-health-systems-goanywhere-data-breach/
  13. https://www.daytondailynews.com/business/soin-family-suing-kettering-health-for-alleged-breach-of-contract-over-naming-rights/WDO475ACSZDBZN3LXPFPWV3JMM/
  14. https://fox59.com/indiana-news/community-health-network-to-pay-345-million-in-response-to-false-claims-act-violations/
  15. https://www.ibj.com/articles/indianas-high-court-to-consider-privacy-in-bizarre-community-health-case
  16. https://www.databreachtoday.com/community-health-systems-faces-lawsuit-a-7238
  17. https://www.upmchealthplan.com
  18. https://www.healthcareitnews.com/news/community-health-network-reports-online-tracking-data-breach-affecting-15-million
  19. https://www.databreachtoday.com
  20. https://healthitsecurity.com/news/community-health-network-notifies-1.5m-of-data-breach-stemming-from-tracking-tech
  21. https://www.torrancememorial.org
  22. https://www.wthr.com/article/news/health/community-health-network-third-party-data-breach/531-130c8116-9d8f-4930-bf84-ec2604490fdc
  23. https://www.tricare.mil
  24. https://fox59.com/indiana-news/community-health-network-notifies-patients-of-data-breach/
  25. https://atriumhealth.org
Breach Submission Date Nov 17, 2023
Converted Entity Name Community Health Network, Inc.
Converted Entity Type Healthcare Provider
State IN
Individuals Affected 2,271
Breach Type Hacking/IT Incident

Breach Information Location Email, Other

Business Associate Present Yes