Chinese hackers target VT Social Security numbers

Nearly 1,100 Vermont residents have been notified that their Social Security numbers could be in the hands of Chinese hackers behind one of the largest raids on American electronic medical records.

"You are receiving this letter because some of your personal information may have been taken during this cyber attack," reads an Aug. 25 letter to Vermont consumers from Tennessee-based Community Health Systems Professional Services Corp. "The data which was taken may include your name, address, birthdate and Social Security number."

The company, one the largest hospital and data-management firms in the U.S., sent the letter to 1,095 Vermont residents, according the Vermont Attorney General's Office.

Letters bearing bad tidings of data breaches are finding their way to Vermont mailboxes more often.

"It's depressingly common, unfortunately," said Ryan Kriger, an assistant Vermont attorney general in the public protection division.

It's unclear where the affected Vermont residents sought treatment. A Community Health Systems spokeswoman said the company has no affiliation with doctors or hospitals in Vermont and declined to provide further information.

The records could be connected to facilities just over the border in neighboring states or in more distant locales where state residents formerly lived or sought specialized treatment.

The company is not legally required to divulge the sites under state law, Kriger said.

"There's no obligation for them to tell us that information. Basically it's just, 'Our systems were hacked, and here are the people in our system who were impacted.' "

The cyber attack made national headlines last week because it occurred on a massive scale: Records for some 4.5 million people might have been exposed, according to Community Health Systems.

Certain details about the data breach must be disclosed to the public under federal law that pertains specifically to health records, and under a broader Vermont law. The state statute is designed to ensure consumers know when someone snoops on personal information that could be used to create a fake identity, rack up bogus credit-card charges or file falsely for tax refunds.

The intention of the law is simple, Kriger said.

"You gave your personal information to someone; they lost that information or had it stolen from them; you have a right to know that, so you can take steps to protect yourself," he said.

Phone numbers and names of employers also might have been stolen by the Chinese hackers, the letter to Vermonters stated. No medical or clinical information was taken, according to the letter.

National reports have speculated that the hackers found their way into the company's vast data trove by stealing employee passwords.

There are many ways for hackers to sneak into computer systems, and it's difficult for companies, even those with big legal departments and tech teams, to keep up.

"It's an arms race," Kriger said. "The security guys get better, and then the bad guys get better. Technology is constantly advancing, and every time new technology comes out, somebody figures out a way to exploit it."

A copy of the Community Health Services letter is posted at the Vermont Attorney General's Office website. The office posts such notifications partly so consumers know the letters that come to them in the mail are for real, and not another scam.

Community Health Services disclosed the hack in a legal notice in Monday's Burlington Free Press. The notice, headlined "Data Breach Notification," stated that the company provides consulting and information technology services to certain clinics and hospital-based physicians "in this area."

The state's largest hospital, Fletcher Allen Health Care in Burlington, has no contract with Community Health Systems, spokesman Mike Noble said this week. To his knowledge, no Fletcher Allen patients were affected.

The notification letter invited recipients to sign up for identity theft protection free of charge for one year and provided a phone number for information.

The letter stated the company would not call or email affected consumers, and they should be wary if someone contacts them to sign up and provide personal information.

The warning is to protect consumers from another unfortunate trend: Scammers launching a second offensive on people who already have been hacked.

Make sure to sign up with the right number, the one on the paper letter, said Kriger of the Attorney General's Office.

"The message is, beware of emails coming in that claim to be telling you about a breach, because those may be trying to doubly victimize you," he said. "It's one thing after another. It's tricky."

Contact Molly Walsh at 660-1874 or mwalsh@burlingtonfreepress.com. Follow Molly on Twitter at www.twitter.com/mokawa.