Aug. 19 (Bloomberg) -- Chinese hackers stole social securitynumbers, names and addresses from 4.5 million patients of CommunityHealth Systems Inc., the second-biggest for-profit U.S. hospitalchain, according to the company.

The attacks occurred in April and June, the Franklin,Tennessee-based company said yesterday in a U.S. regulatory filing.The hacker group originated from China and bypassed the company’ssecurity system, making off with non-medical information frompeople who visited doctors’ offices associated with thecompany.

“Unfortunately, we have joined numerous American companies andinstitutions who have been victimized by highly sophisticated,criminal cyber-attacks originating out of China,” Tomi Galin, aspokeswoman for Community Health, said in an e-mail. “Importantly,no patient medical or financial information was transferred as aresult of this intrusion.”

Community Health is among several companies that have reportedsimilar breaches. Supervalu Inc., a U.S. supermarket chain, saidAug. 15 that it suffered an attack that exposed customers’ credit-and debit-card information. The retailer Target Corp. was breachedlast year by Eastern European hackers who stole credit card numbersand other personal data from at least 70 million customers in oneof the biggest retail hacking incidents in U.S. history.

‘Groundless accusations’

The Chinese embassy in Washington said it wasn’t aware of theattack. “Chinese laws prohibit cyber crimes of all forms andChinese government has done whatever it can to combat suchactivities,” Geng Shuang, an embassy spokesman, said in an e- mail.“Making groundless accusations at others is not constructive at alland does not contribute to the solution of the issue.”

The company could have done a better job safeguarding the data,said one electronic security expert. “There is no indication thatthis data was encrypted, which creates further challenges for theorganization and the patients impacted,” JD Sherry, vice presidentfor network security company Trend Micro Inc., said in ane-mail.

Community Health said it hired electronic forensics specialistMandiant Corp., a subsidiary of FireEye Inc., to investigate theincident and suggest security improvements. The hospital operatoralso working with the U.S. Federal Bureau of Investigation.

State-sponsored hack

“We understand the significance of this and other recentlyannounced cyber-intrusions by state actors and other cybercriminalsand are committing significant resources and efforts to target,disrupt, dismantle and arrest the perpetrators,” FBI spokesmanJoshua Campbell said in an e-mail.

Federal authorities and security experts have been tracking theChinese state-sponsored group they believe is responsible for thebreach over a period of several years. This is the first time thegroup has been linked to the theft of the kind of personal data inwhich cybercriminals specialize, according to a person familiarwith the investigation.

Usually, the Chinese hacker group focuses on typical targets ofindustrial espionage, specializing in pharmaceutical companies andresearch related to the development of new drugs. It hasoccasionally targeted other sectors as well, according the personinvolved in the investigation, who agreed to speak only oncondition of anonymity.

Community Health said it’s notifying patients and will beoffering identity theft protection services to them. The companysaid it doesn’t believe the electronic break-in will affect itsbusiness.

Sherry said the hospital chain will have to reassure patientsafter the hacking incident.

“The bigger financial impact is the soft costs of losing patienttrust and confidence in their services, which can be extremelydifficult to recover from,” Sherry said.

With assistance from Chris Strohm in Washington.

Copyright 2018 Bloomberg. All rightsreserved. This material may not be published, broadcast, rewritten,or redistributed.