Chinese hackers stole info on 4.5 million U.S. hospital patients

Arik Hesseldahl
weerapatkiatdumrong | Getty Images

If you've been to a hospital in a small town or anywhere in the southeastern portion of the United States in the last few years, it's worth keeping an eye on your personal information.

Community Health Systems, which operates 206 hospitals in 29 states, most of them in rural communities, said today that it suffered a data breach affecting the personal information of some 4.5 million patients.

In a regulatory filing with the U.S. Securities and Exchange Commission, the hospital company said it was attacked during April and June of this year by an "Advanced Persistent Threat" group believed to be operating out of China.

Hacker protection employs two-fold plan
Hacker protection employs two-fold plan

It's not clear what the purpose of this attack may have been, though Community Health says the only thing it knows was stolen was "…non-medical patient identification data related to the company's physician practice operations and affected approximately 4.5 million individuals who, in the last five years, were referred for or received services from physicians affiliated with the company."

The phrase "advanced persistent threat" is noteworthy because it was first used last year by the security firm Mandiant to describe a unit of the Chinese Army that has been accused of attacking the networks of scores of American, Canadian and British companies, dating as far back as 2006. The group's operations were documented in excruciating detail in a landmark report.

Once it detected the attack, Community Health said it hired Mandiant, a unit of the security company FireEye, to investigate the incident. It's unclear if Mandiant thinks this incident is the work of the same Chinese Army group that carried out the attack, or if it's another group in China using similar tactics. The firm did not return calls seeking comment.

More from Re/code:
Can smartphones break out of their rut?
A Snapchat explainer for non-millennials
PowerToFly aims to find women techies jobs wherever they are

Mandiant's report last year documented the operations of Unit 61398, a military cyberwar unit that stands accused of attacking the networks of at least 141 companies or organizations. On average, the hackers would spend nearly a year perusing a targeted company's systems looking for sensitive information to steal: product development plans, manufacturing techniques, business plans and the email messages of senior executives. The point is to help Chinese companies be more competitive.

China has officially denied the accusations, but the report was so detailed that the U.S. Department of Justice secured criminal indictments of five members of Unit 61398, and that in turn poured new fuel on a diplomatic fire burning between the U.S. and China over the issue of cyber warfare.

Read MoreTwo major grocery chains in potential data breaches

For reference, here's a map showing the location of Community Health's hospitals around the U.S., which you can drill down on here. If you've been a patient at any of its hospitals in the last five years, you may be hearing from the company in the coming days.

—By Arik Hesseldahl, Re/

CNBC's parent NBC Universal is an investor in Re/code's parent Revere Digital, and the companies have a content-sharing arrangement.