Community Health Systems says no medical or credit card records were taken in the attack that could have happened in April and June. They say the attack bypassed security systems to take patient names, addresses, birthdates, phone and Social Security numbers.
The information came from patients who were referred to or received care from doctors tied to the company over the last five years.
Community Health Systems says it is notifying patients impacted by the attack. The company is also offering patients identity theft protection services.
The company owns, leases or operates 206 hospitals in 29 states, including 11 in Alabama.
Those hospitals include Crestwood Medical Center in Huntsville, DeKalb Regional Medical Center in Fort Payne, and Gadsden Regional Medical Center and Riverview Regional Medical Center in Gadsden.
DeKalb Regional said all hospital records are safe, but said in a statement that "limited personal information" of some patients were affected. While they said they had no reason to suspect the information would be used, they are notifying those affected by letter.
"Our organization believes the intruder was a foreign-based group out of China that was likely looking for intellectual property," the DeKalb statement said. "The intruder used highly-sophisticated methods to bypass security systems. The intruder has been eradicated and applications have been deployed to protect against future attacks. We are working with federal law enforcement authorities in their investigation and will support prosecution of those responsible for this attack."
Crestwood Medical Center also responded to the security breach in a statement on Monday. They said personal information of some patients who were seen at some Crestwood employed physician practices and clinics affiliated with Crestwood Medical Center over the past five years was transferred out of their system in the cyber attack.
Copyright 2014 WAFF. All rights reserved. AP contributed to this report.