Dear Mr. Chairman:
I am writing to request that the Committee hold a bipartisan hearing to investigate the causes and effects of a very serious data security breach at Community Health Systems, Inc., the nation’s largest for-profit hospital chain.
Last month, Community Health Systems, which operates 206 hospitals across the United States, announced that hackers broke into its computers and stole data on 4.5 million patients.[1] This represents the second largest health information breach in history and the largest hacking-related health information breach ever reported.[2] Hackers reportedly operating from China gained access to patient names, Social Security numbers, physical addresses, birthdays, and telephone numbers, putting these individuals “at heightened risk of identity fraud."[3]
Over the past year, the Committee has been investigating the security of the Healthcare.gov website. This investigation has involved numerous public hearings, more than a million pages of documents from federal agencies and private contractors, and 18 transcribed interviews. To date, however, no personally identifiable information has been compromised as a result of malicious cyber attacks, although outside actors have repeatedly tried.[4]
Cybersecurity threats are an ongoing challenge for both the federal government and the private sector. For these reasons, I believe an investigation of the data security breach at Community Health Systems will help the Committee learn from these witnesses about security vulnerabilities they have experienced in order to better protect our federal information technology assets.
Thank you for your consideration of this request.
Sincerely,
Elijah E. Cummings
Ranking Member
-------------------------------
[1] Hack of Community Health Systems Affects 4.5 Million Patients, New York Times (Aug. 18, 2014) (online at https://bits.blogs.nytimes.com/2014/08/18/hack-of-community-health-systems-affects-4-5-million-patients).
[2] Hackers Directly Targeting Health Care Organizations, FBI Warns, iHealthBeat (Aug, 21, 2014) (online at www.ihealthbeat.org/articles/2014/8/21/hackers-directly-targeting-health-care-organizations-fbi-warns).
[3] Hospital Network Hacked, 4.5 Million Records Stolen, CNN Money (Aug. 18, 2014) (online at https://money.cnn.com/2014/08/18/technology/security/hospital-chs-hack).
[4] See, e.g., HealthCare.gov Server Hacked. But HHS Says No Consumer Information Taken, Washington Post (Sept. 4, 2014) (online at www.washingtonpost.com/blogs/the-switch/wp/2014/09/04/healthcare-gov-server-hacked-but-hhs-says-no-consumer-information-taken/) (reporting that although a test server was hacked, no personally identifiable information was compromised)
