Item 8.01. Other Events.
In July 2014, Community Health Systems, Inc. (the "Company") confirmed that its
computer network was the target of an external, criminal cyber attack that the
Company believes occurred in April and June, 2014. The Company and its forensic
expert, Mandiant (a FireEye Company), believe the attacker was an "Advanced
Persistent Threat" group originating from China who used highly sophisticated
malware and technology to attack the Company's systems. The attacker was able to
bypass the Company's security measures and successfully copy and transfer
certain data outside the Company. Since first learning of this attack, the
Company has worked closely with federal law enforcement authorities in
connection with their investigation and possible prosecution of those determined
to be responsible for this attack. The Company also engaged Mandiant, who has
conducted a thorough investigation of this incident and is advising the Company
regarding remediation efforts. Immediately prior to the filing of this Report,
the Company completed eradication of the malware from its systems and finalized
the implementation of other remediation efforts that are designed to protect
against future intrusions of this type. The Company has been informed by federal
authorities and Mandiant that this intruder has typically sought valuable
intellectual property, such as medical device and equipment development data.
However, in this instance the data transferred was non-medical patient
identification data related to the Company's physician practice operations and
affected approximately 4.5 million individuals who, in the last five years, were
referred for or received services from physicians affiliated with the Company.
The Company has confirmed that this data did not include patient credit card,
medical or clinical information; the data is, however, considered protected
under the Health Insurance Portability and Accountability Act ("HIPAA") because
it includes patient names, addresses, birthdates, telephone numbers and social
security numbers. The Company is providing appropriate notification to affected
patients and regulatory agencies as required by federal and state law. The
Company will also be offering identity theft protection services to individuals
affected by this attack. The Company carries cyber/privacy liability insurance
to protect it against certain losses related to matters of this nature. While
this matter may result in remediation expenses, regulatory inquiries, litigation
and other liabilities, at this time, the Company does not believe this incident
will have a material adverse effect on its business or financial results.
This Current Report on Form 8-K contains forward-looking statements within the
meaning of Section 27A of the Securities Act of 1933, as amended, Section 21E of
the Securities Exchange Act of 1934, as amended, and the Private Securities
Litigation Reform Act of 1995, that involve risks and uncertainties. All
statements in this Current Report on Form 8-K, other than statements of
historical fact, including statements regarding the anticipated impact of the
incident described herein on the Company's business and financial results, are
forward-looking statements. These statements are not guarantees of future
results or performance, and actual outcomes and results may differ materially
from those expressed in, or implied by, any of these forward-looking statements.
Risks and uncertainties that could cause actual results to differ materially
from those in the forward-looking statements include, but are not limited to,
the outcome of any potential regulatory inquiries and/or litigation to which the
Company may become subject as the result of this incident, the potential
reputational damage to the Company resulting from this incident, the outcome of
the Company's pending and ongoing investigation, including the Company's
potential discovery of additional information relating to this incident, and the
extent of remediation costs and other additional operating or other expenses
that may be incurred by the Company as the result of this incident. The Company
undertakes no obligation to revise or update any forward-looking statements, or
to make any other forward-looking statements, whether as a result of new
information, future events, or otherwise.
The information furnished pursuant to this Item 8.01 shall not be deemed "filed"
for purposes of Section 18 of the Securities Exchange Act of 1934 (the "Exchange
Act") or otherwise subject to the liabilities under that Section and shall not
be deemed to be incorporated by reference into any filing of the Company under
the Securities Act of 1933 or the Exchange Act.