The company, which runs 206 rural hospitals across the country, said security firm Mandiant believes the hack was conducted by the "Advanced Persistent Threat" group from China. Hackers got access to non-medical identification data for patients who received services from the company's hospitals or were referred to affiliated physicians.
According to Mandiant, the hackers used malware and highly sophisticated technology to bypass Community Health Systems' security systems and successfully copied personal patient data. This included patient names, addresses, birth dates, telephone numbers and social security numbers, but not patient credit card, medical or clinical information.
The information was protected by the Health Insurance Portability and Accountability Act, which means patients could sue the hospital network for damages. Community Health Systems said they would inform the 4.5 million patients "as required by federal and state law," though such laws are inconsistent and vary from state to state.
Community Health Systems said they had removed the malware from their systems and that they would provide identity-theft protection services to those affected.
The company said it was working with federal authorities to investigate the attack. Federal authorities said in such cases hackers are usually looking for intellectual property, such as medical device and equipment development data.
Federal agencies had warned healthcare providers in April they could be subject to such cyber attacks, as systems in this sector were lacking in security measures.