Community Health reports third party vendor Fortra experienced security incident

In a regulatory filing, Community Health Systems disclosed that the company was recently notified by Fortra, LLC, a third party vendor of the company, that Fortra had experienced a security incident that resulted in the unauthorized disclosure of dompany data. "Fortra is a cybersecurity firm that contracts with company affiliates to provide a secure file transfer software called GoAnywhere. As a result of the security breach experienced by Fortra, Protected Health Information, or ‘PHI,’ as defined by the Health Insurance Portability and Accountability Act, or ‘HIPAA,’ and ‘Personal Information,’ or ‘PI,’ of certain patients of the company’s affiliates were exposed by Fortra’s attacker. Upon receiving notification of the security breach, the company promptly launched an investigation, including to determine whether any company information systems were affected, whether there was any impact to ongoing operations, and whether and to what extent PHI or PI had been unlawfully accessed by the attacker. While that investigation is still ongoing, the company believes that the Fortra breach has not had any impact on any of the company’s information systems and that there has not been any material interruption of the company’s business operations, including the delivery of patient care. With regard to the PHI and PI compromised by the Fortra breach, the company currently estimates that approximately one million individuals may have been affected by this attack. The company will ensure that appropriate notification is provided to any individuals affected by this attack, as well as to regulatory agencies as required by federal and state law. The company will also be offering identity theft protection services to individuals affected by this attack. The company carries cyber/privacy liability insurance to protect it against certain losses related to matters of this nature. However, the company may have incurred, and may incur in the future, expenses and losses related to this incident that are not covered by insurance. While the company is continuing to measure the impact, including certain remediation expenses and other potential liabilities, the company does not currently believe this incident will have a material adverse effect on its business, operations, or financial results," Community Health stated.