Form 8-K
COMMUNITY HEALTH SYSTEMS INC false 0001108109 0001108109 2023-02-13 2023-02-13





Washington D.C. 20549







Pursuant to Section 13 or 15(d)

of the Securities Exchange Act of 1934

Date of Report (date of earliest event reported): February 13, 2023




(Exact name of registrant as specified in its charter)




Delaware   001-15925   13-3893191

(State or other jurisdiction of

incorporation or organization)



File Number)

  (IRS Employer
Identification No.)

4000 Meridian Boulevard

Franklin, Tennessee 37067

(Address of principal executive offices)

Registrant’s telephone number, including area code: (615) 465-7000



Check the appropriate box below if the Form 8-K filing is intended to simultaneously satisfy the filing obligation of the registrant under any of the following provisions:


Written communications pursuant to Rule 425 under the Securities Act (17 CFR 230.425)


Soliciting material pursuant to Rule 14a-12 under the Exchange Act (17 CFR 240.14a-12)


Pre-commencement communications pursuant to Rule 14d-2(b) under the Exchange Act (17 CFR 240.14d-2(b))


Pre-commencement communications pursuant to Rule 13e-4(c) under the Exchange Act (17 CFR 240.13e-4(c))

Securities registered pursuant to Section 12(b) of the Act:


Title of each class




Name of each exchange
on which registered

Common Stock, $0.01 par value   CYH   New York Stock Exchange

Indicate by check mark whether the registrant is an emerging growth company as defined in Rule 405 of the Securities Act of 1933 (17 CFR §230.405) or Rule 12b-2 of the Securities Exchange Act of 1934 (17 CFR §240.12b-2).

Emerging growth company

If an emerging growth company, indicate by check mark if the registrant has elected not to use the extended transition period for complying with any new or revised financial accounting standards provided pursuant to Section 13(a) of the Exchange Act. ☐




Item 8.01

Other Events.

Community Health Systems, Inc. (the “Company”) was recently notified by Fortra, LLC, a third party vendor of the Company, that Fortra had experienced a security incident that resulted in the unauthorized disclosure of Company data. Fortra is a cybersecurity firm that contracts with Company affiliates to provide a secure file transfer software called GoAnywhere. As a result of the security breach experienced by Fortra, Protected Health Information (“PHI”) (as defined by the Health Insurance Portability and Accountability Act (“HIPAA”)) and “Personal Information” (“PI”) of certain patients of the Company’s affiliates were exposed by Fortra’s attacker.

Upon receiving notification of the security breach, the Company promptly launched an investigation, including to determine whether any Company information systems were affected, whether there was any impact to ongoing operations, and whether and to what extent PHI or PI had been unlawfully accessed by the attacker. While that investigation is still ongoing, the Company believes that the Fortra breach has not had any impact on any of the Company’s information systems and that there has not been any material interruption of the Company’s business operations, including the delivery of patient care. With regard to the PHI and PI compromised by the Fortra breach, the Company currently estimates that approximately one million individuals may have been affected by this attack.

The Company will ensure that appropriate notification is provided to any individuals affected by this attack, as well as to regulatory agencies as required by federal and state law. The Company will also be offering identity theft protection services to individuals affected by this attack. The Company carries cyber/privacy liability insurance to protect it against certain losses related to matters of this nature. However, the Company may have incurred, and may incur in the future, expenses and losses related to this incident that are not covered by insurance. While the Company is continuing to measure the impact, including certain remediation expenses and other potential liabilities, the Company does not currently believe this incident will have a material adverse effect on its business, operations, or financial results.

Forward Looking Statements

This Current Report on Form 8-K contains forward-looking statements within the meaning of Section 27A of the Securities Act of 1933, as amended, Section 21E of the Securities Exchange Act of 1934, as amended, and the Private Securities Litigation Reform Act of 1995 that involve risk and uncertainties. These forward-looking statements are based on our current beliefs, understandings and expectations and may relate to, among other things, statements regarding our current beliefs, understanding and expectations regarding this cyber incident and its impact on our business, operations and financial results. These forward-looking statements are neither promises nor guarantees, but are subject to a variety of risks and uncertainties, many of which are beyond our control, which could cause actual results to differ materially from those contemplated in these forward-looking statements. Factors that could cause actual results to differ materially from those expressed or implied include legal, reputational, and financial risks resulting from this cyber incident, our ongoing investigation of the incident, including the Company’s potential discovery of additional information related to the incident in connection with this investigation, any potential regulatory inquiries and/or litigation to which the Company may become subject in connection with this incident, the extent of remediation and other additional costs that may be incurred by the Company in connection with this incident, and the risks set forth in our Annual Report on Form 10-K for the year ended December 31, 2021, filed with the Securities and Exchange Commission on February 17, 2022, and our other filings with the Securities and Exchange Commission. The Company undertakes no obligation to revise or update any forward-looking statements, or to make any other forward-looking statements, whether as a result of new information, future events or otherwise.


Pursuant to the requirements of the Securities Exchange Act of 1934, the registrant has duly caused this Report to be signed on its behalf by the undersigned hereunto duly authorized.


Date: February 13, 2023   COMMUNITY HEALTH SYSTEMS, INC.

    /s/ Tim L. Hingtgen

    Tim L. Hingtgen
    Chief Executive Officer
    (principal executive officer)