Community Health Systems data breach may have exposed information of Scranton and Wilkes-Barre hospital patients

Mar. 28—A cyberattack on a third-party vendor for Community Health Systems exposed personal information of an estimated 1 million patients at hospitals and clinics it owns, including three hospitals in Lackawanna and Luzerne counties.

In a notice posted to its website, CHS said a data breach between Jan. 28 and 30 at Fortra LLC — a firm that provides file transfer software — exposed confidential information, including names, addresses, billing and insurance information, birthdates, Social Security numbers and certain medical information, including diagnoses and medications.

CHS owns hospitals in 16 states, including three operated by Commonwealth Health System: Regional Hospital of Scranton, Moses Taylor Hospital in Scranton and Wilkes-Barre General Hospital in Wilkes-Barre.

The data breach is the latest in a string of security breaches at local health care providers.

In February, Lehigh Valley Health Network reported confidential information, including nude photos of patients undergoing cancer treatment at its Lackawanna County-based Delta Medix location, was posted to the dark web after it refused to pay the ransom a cyber criminal group demanded.

Maternal & Family Health Services Inc. revealed in January that patients' confidential information was compromised in a cyberattack between August 2021 and April 2022. The nonprofit human services and health care group has locations in 17 counties, including Lackawanna, Luzerne, Monroe, Susquehanna, Wayne and Wyoming.

In the Community Health Systems case, hackers took advantage of a previously unknown vulnerability to access Fortra's systems, CHS said in its statement. Fortra said it took immediate action to halt the attack and prevent further information from being accessed.

"Please be assured we are committed to protecting personal information," the company said in the statement. "We share your frustration with this security incident, and we apologize for any inconvenience it may cause you."

The statement does not say how many patients may have been affected. In a filing with the Securities and Exchange Commission, the company said the investigation is still ongoing, but estimates information of about 1 million patients may have been exposed.

The company is in the process of notifying affected patients by mail. Those affected will be provided two years of free credit monitoring service.

To enroll in the program or for answers to other questions related to the breach, call 800-906-7947.

Contact the writer:; 570-348-9137; @tmbeseckerTT on Twitter.