Hospital operator that owns Mat-Su medical center hacked

Zaz Hollander

WASILLA -- Community Health Systems, the company that owns Mat-Su Regional Medical Center, says hackers originating in China may have stolen personal information from 4.5 million customers across the country.

Mat-Su Regional, a 74-bed facility just off the Parks Highway between Palmer and Wasilla, is the only hospital in Alaska run by CHS, one of the country’s largest publicly traded hospital operators.

The Mat-Su hospital itself was not part of the data theft, but it's possible a small physicians clinic the hospital operates on Bogard Road was involved, according to Cathy Babuscio, the hospital's human resources director and facility compliance officer. Babuscio said Monday she expected to know more within the next few days.

Community Health Systems experienced an “external, criminal cyberattack” that took place in April and June, according to a regulatory filing Monday with the U.S. Securities and Exchange Commission.The attack affects people who were referred for or receiving services from CHS-affiliated physicians in the last five years.

The data involved was patient identification information -- names, addresses, birth dates, Social Security numbers -- but did not include patient credit card, medical or clinical information, the company says. 

By Aug. 30, CHS will send letters notifying customers whose information was compromised and plans to provide a toll-free phone number within the next few days, officials at the Mat-Su hospital said. Customers who receive letters will be offered free identity theft protection from a service that checks to make sure personal information wasn't used without permission.

Mat-Su hospital officials said they understood that people were concerned, but their patient care staff won't have much information if people call the hospital directly. 

"Our business is to take care of patients," said chief nursing officer Emily Stevens. 

The attack apparently came from China, according to CHS officials and the security firm that's been contracted to resolve the situation, Mandiant. 

CHS and Mandiant “believe the attacker was an ‘Advanced Persistent Threat’ group originating from China who used highly sophisticated malware and technology” to attack CHS systems, the SEC filing states.

Mandiant first used the phrase “Advanced Persistent Threat” last year to describe a “military cyberwar” unit of the Chinese army accused of attacking the networks of numerous American, Canadian and British companies, according to a story posted Monday on technology news site Re/code.

The SEC filing doesn’t say whether the security firm is connecting the CHS attacks to that group or a different group in China.

An Internet security unit within the Alaska Department of Health and Social Services is working with Mat-Su Regional, according to department spokeswoman Sarana Schell. The unit is waiting for the hospital to "investigate and get back to us," Schell said in an email. She said that process wasn't expected to be complete for several days. 

Community Health Systems owns, leases or operates 206 affiliated hospitals in 29 states with approximately 31,100 licensed beds, according to the company. CHS is headquartered in Franklin, Tennessee, a suburb of Nashville.

Mat-Su Regional opened in 2006, the result of an LLC partnership between Valley Hospital Association and Triad Hospitals. CHS purchased Triad in 2007.