2023-02-13 COMMUNITY HEALTH SYSTEMS INC Cybersecurity Incident

Page last updated on April 11, 2024

COMMUNITY HEALTH SYSTEMS INC initially disclosed a cybersecurity incident in an SEC 8-K filing on 2023-02-13 16:11:05 EST.

Incident Details

Material: Unknown
Is Breach: Unknown
Records Compromised: Unknown
Data Types Impacted: No Data Types Tracked (yet)

Compromised Date:
Detected Date:
Disclosure Date: 2023-02-13
Contained Date:
Recovered Date:

Attack Goal: Unknown

Costs: No Costs Tracked (yet)

Filings

8-K filed on 2023-02-13

COMMUNITY HEALTH SYSTEMS INC filed an 8-K at 2023-02-13 16:11:05 EST
Accession Number: 0001193125-23-035789

Item 8.01 Other Events.

Community Health Systems, Inc. (the “Company”) was recently notified by Fortra, LLC, a third party vendor of the Company, that Fortra had experienced a security incident that resulted in the unauthorized disclosure of Company data. Fortra is a cybersecurity firm that contracts with Company affiliates to provide a secure file transfer software called GoAnywhere. As a result of the security breach experienced by Fortra, Protected Health Information (“PHI”) (as defined by the Health Insurance Portability and Accountability Act (“HIPAA”)) and “Personal Information” (“PI”) of certain patients of the Company’s affiliates were exposed by Fortra’s attacker.

Upon receiving notification of the security breach, the Company promptly launched an investigation, including to determine whether any Company information systems were affected, whether there was any impact to ongoing operations, and whether and to what extent PHI or PI had been unlawfully accessed by the attacker. While that investigation is still ongoing, the Company believes that the Fortra breach has not had any impact on any of the Company’s information systems and that there has not been any material interruption of the Company’s business operations, including the delivery of patient care. With regard to the PHI and PI compromised by the Fortra breach, the Company currently estimates that approximately one million individuals may have been affected by this attack.

The Company will ensure that appropriate notification is provided to any individuals affected by this attack, as well as to regulatory agencies as required by federal and state law. The Company will also be offering identity theft protection services to individuals affected by this attack. The Company carries cyber/privacy liability insurance to protect it against certain losses related to matters of this nature. However, the Company may have incurred, and may incur in the future, expenses and losses related to this incident that are not covered by insurance. While the Company is continuing to measure the impact, including certain remediation expenses and other potential liabilities, the Company does not currently believe this incident will have a material adverse effect on its business, operations, or financial results.

Company Information