A group of sophisticated Chinese hackers known for its high-stakes corporate espionage has a history of stealing medical-device blueprints, prescription-drug formulas and other valuable intellectual property from large health-care companies.
So why would it steal 4.5 million health records, which is typically the domain of identity thieves?
It's a question confounding some security experts after Community Health Systems, a Franklin, Tennessee-based hospital chain, disclosed an extensive breach affecting its data going back at least five years. Names, addresses, birthdates and Social Security numbers were taken. The security firm hired to investigate the breach, FireEye's Mandiant division, said the hacking group responsible is based out of China.
"We have tracked this group for the past four years and internally refer to them as APT 18," said Charles Carmakal, managing director of Mandiant, in an e-mail. "This group typically targets companies in the aerospace and defense, construction and engineering, technology, financial services, and health-care industry verticals."
Security experts say it's unusual for accomplished thieves of corporate secrets to suddenly turn to stealing personal data on individuals, which is what you'd expect from Eastern European hacking gangs and cyber-crime rings.
It's possible that the hackers were scraping all the data they could from Community Health's systems and wound up with personal data, without any intentions of selling or using it. The hackers could also have stolen the information for the purposes of locating new targets or adding private data to the profiles of existing targets.
Perhaps the most likely theory is that rogue members, tempted by the money they could make, stole the data to sell it on the black market in actions not sanctioned by their superiors, according to a person familiar with the investigation, who spoke on condition of anonymity.
Federal authorities and security experts have been tracking the group responsible for several years and this is the first time it's deviated from industrial espionage, the person said. The group is separate from the People's Liberation Army Unit 61398, according to the person. In May, the U.S. Justice Department charged five members of the Shanghai-based team with stealing trade secrets from industrial giants such as United States Steel and Alcoa.
The FBI said in a statement that it is working with Community Health to investigate the breach.
"We understand the significance of this and other recently announced cyber intrusions by state actors and other cyber criminals and are committing significant resources and efforts to target, disrupt, dismantle and arrest the perpetrators," the agency said.
The Chinese embassy in Washington told Bloomberg News it wasn’t aware of the attack. “Chinese laws prohibit cyber crimes of all forms and Chinese government has done whatever it can to combat such activities,” Geng Shuang, an embassy spokesman, said in an e-mail. “Making groundless accusations at others is not constructive at all and does not contribute to the solution of the issue.”
Why Medical Records?
Medical records are extraordinarily valuable for identity theft, as they contain all manner of personal information needed to take out credit and receive services in victims' names. They're most valuable, ironically, for the non-medical information they contain.
Hackers have been showing an increased interest in the medical sector.
For the past year, Dell's SecureWorks division has responded to multiple intrusions by a hacking group targeting health-care and pharmaceutical companies, according to the company. The group uses phishing e-mails and has even gained physical access to computers to infect target companies. They have been "extremely successful in exfiltrating the most valuable intellectual property of organizations," according to Dell.
For investigators, it's often easy to determine hackers' motivations and hard to figure out their identities. In this case, it's the other way around.