The parent company of Bayfront Health St. Petersburg says criminal cyberattackers stole Social Security numbers and other information of about 4.5 million patients treated by its affiliated physician groups.
Tennessee-based Community Health Systems — which also owns Bayfront Health Spring Hill, Bayfront Health Brooksville and Bayfront Health Dade City — said Monday that no medical or credit card records were taken in the attack, which may have happened in April and June. But Community said the attack did bypass its security systems to take patient names, addresses, birth dates, and telephone and Social Security numbers.
The data breach affects patients who were treated at the company's clinics, not those who were solely hospital patients, said Susan Frimmel, spokeswoman for Bayfront Spring Hill. The clinics all use the same software that was hacked, she said.
Community has not yet released a list of affected clinics. In the Tampa Bay area, the company's affiliated clinics include Bayfront Health Medical Group locations and such offices as My Gynecologist in Spring Hill and Women's Health of Pasco in Dade City.
"We take very seriously the security and confidentiality of private patient information and we sincerely regret any concern or inconvenience this event may cause for our patients," the company said in a statement. "Though we have no reason to believe that this data would ever be used, all affected patients are being notified by letter and offered free identity theft protection."
Bayfront St. Petersburg's spokeswoman, Elena Mesa, said only that she had no information on the local impact. She declined to make Bayfront Health CEO Kathryn Gillette available for an interview.
The data breach is the latest hurdle for Bayfront St. Petersburg. After a century as a not-for-profit institution, Bayfront was taken over in 2013 by the Naples for-profit hospital chain Health Management Associates.
Even before that buyout was complete, HMA was already facing allegations — aired on CBS's 60 Minutes — that doctors were pressured to make admission quotas to fill the chain's hospital beds. Allegations snowballed with an expanding federal whistle-blower investigation and other claims of kickbacks at the company.
Then last year Community Health swooped in and bought HMA facilities, including Bayfront, Pasco Regional Medical Center, Brooksville Regional Hospital and Spring Hill Regional Hospital, in a $7.6 million deal. They have all been rebranded with the Bayfront name.
The company is in the process of setting up a toll-free hotline for patients concerned about their data.
After the news broke Monday, Frimmel said her phone in Spring Hill had been ringing off the hook from patients nervous that their information had been stolen.
"I've got message after message," she said.
Community Health, which owns, leases or operates 206 hospitals in 29 states, said it believes the attack came from a group in China that used sophisticated malware and technology to get the information. Community has since removed the malware from its system and finalized "other remediation efforts" to prevent future attacks.
The attack follows other high-profile data security problems that have hit retailers like the e-commerce site eBay and Target Corp. Last year, hackers stole from Target about 40 million debit and credit card numbers and personal information for 70 million people.
Shares of Community Health climbed 38 cents to $51.38 late Monday morning, while broader trading indexes also rose less than 1 percent.
Information from the Associated Press was used in this report. Contact Jodie Tillman at [email protected] or (813) 226-3374. Follow @JTillmanTimes.