US hospital group Community Health Systems has revealed that hackers gained access to 4.5 million patient records in a cyber attack from April to June 2014.
The attack is believed to have originated in China and enabled the intruders to by-pass security measures to steal personal data of patients, including names, social security numbers and addresses.
The company, which runs 206 hospitals in 29 states, said it is notifying affected patients, but no medical records or credit card records are believed to have been accessed.
However, security experts have warned that the stolen information could be used to impersonate the people involved and used to commit fraud and other cyber crimes.
Community Health Systems said it would offer free identity-theft protection services to those affected by the attack.
Security firm Mandiant, owned by FireEye, told the company that the techniques used in the intrusion were similar to those used by a well-known Chinese hacking group, according to the BBC.
But the investigators, who are working with the FBI, have not identified the hacking group involved or indicated if the group is thought to have been working for the Chinese government.
In May, the US charged five Chinese military officers with hacking into five US companies and a labour union to steal trade secrets.
In response to the charges, Chinese foreign ministry spokesman Qin Gang said the allegations were "made up" and would "damage Sino-American co-operation and mutual trust".
News of the Community Health Systems’ hack comes after the compromise of millions of customer records in a string of data breaches at large US retailers.
In the most recent attack, retailer Supervalu warned that intruders may have accessed customer account numbers and some payment card information.
But Supervalu said it had not determined that any such cardholder data was in fact stolen by the intruder, and it has no evidence of any misuse of any such data.
Security experts said the Community Health Systems’ hack highlights how healthcare companies are also prime targets for attackers due to the quantity and value of the sensitive information that they collect.
“Organisations must do more to proactively address the security of critical systems and data – especially as cyber attacks continue to occur daily,” said Eric Chiu, president of cloud security firm HyTrust.
He said consumers also need to take matters into their own hands and be careful about whom they do business with and how, including what information they allow to be collected and shared online.
“They should demand higher security measures from companies entrusted with their data,” said Chiu.
Read more about data breaches
- Most cyber attacks use only three methods, Verizon breach report shows
- Target CEO quits after data breach
- Sears confirms data breach investigation amid retailer data breaches
- Orange data breach underlines need for encryption, say experts
- Target data breach: Why UK business needs to pay attention
- Bitly urges users to secure accounts after security breach
- Target’s CIO resigns after massive data breach