Valley clinic may be part of national health care breach

PALMER — Officials from a company with a majority stake in the local hospital say the company will provide help to guard against potential identity theft for hacking victims.

Hackers may have stolen limited patient data from a satellite clinic in June, Solstice Family Care of Wasilla, officials with the Mat-Su Regional Medical Center said. Information stolen may include: names, Social Security numbers, and in some cases phone numbers, officials said. No confidential health or financial information — respective examples would be prescriptions and credit card numbers — was accessed at any time, and data stored at the medical center was not accessed, according to Alan Craft, spokesman for the Palmer hospital.

The information is among the estimated 4.5 million records accessed by what the company has labeled an “Advanced Persistent Threat” (Internet security speak for criminal organization) from China. Hackers were able to penetrate data defenses and copy files on the systems of Community Health Systems, according to a disclosure filed Monday with the Securities and Exchange Commission.

Officials were working to fix problems stemming from the breach, Craft said.

“Obviously, we’re taking this very seriously,” he said. “We want to do right by our patients.”

The company will provide free identity theft protection to patients who may have been affected, Craft said. Any patient or customer affected by the breach will receive a letter from Community Health Systems by Aug. 30.

Those who suspect their data may have been stolen or used as a result of the breach can call (855) 205-6951 in order to find out what kind of identity theft protection is available, before or after they receive their notifications.

Technical experts later said the initial break-in exploited the notorious “Heartbleed” vulnerability in secure Internet communications known as OpenSSL. SSL stands for Secure Sockets Layer. Many Websites — gmail and Facebook for example — use this type of connection to establish secure connections between servers and individual users before transmitting private data between the user and the server.

The vulnerability allows hackers to obtain private encryption keys used to encode data transferred between the server and a user’s computer. In the case of CHS, this allowed cyber-attackers to obtain login information for a VPN (a type of remote login for servers), which in turn allowed them to access CHS servers, according to web security site TrustedSec.

A Finnish cyber security firm Codenomicon identified the Heartbleed vulnerability in April, shortly before Google also spotted it. A patch for the vulnerability for web servers affected by Heartbleed has been available since that time.

The attack is widely reported to be the largest of such attacks in the health care sector.

Solstice Family Care has three family care physicians and a mental health care provider, according to its website.

For more information, visit heartbleed.com.

The full text of CHS’s statement is available online at bit.ly/1l47QGt.

Contact Brian O’Connor at 352-2269 or brian.oconnor@frontiersman.com.