A group of hackers, believed to be from China, has breached a large American hospital network, stealing 4.5 million patients’ records.

The target of the attack, Community Health Systems, revealed the breach in a regulatory filing on Monday. The hackers obtained the “patient names, addresses, birthdates, telephone numbers and social security numbers,” but no credit card numbers or “medical or clinical information,” the company wrote in the filing.

Community Health Systems, as well as Mandiant, a forensic firm part of security company FireEye, believe that the attack stemmed from China.

“The attacker was an ‘Advanced Persistent Threat’ group originating from China who used highly sophisticated malware and technology to attack the company’s systems,” the network, which operates 206 hospitals across the United States, wrote in the filing.

Unlike usual Chinese government-sponsored attacks, the hackers didn’t target intellectual property or trade secrets, according to Community Health Systems.

Patients who got their data stolen will be notified by Community Health Systems, but it’s unclear who will be notified, as there’s no federal data breach law that mandates notifications, just a patchwork of different state regulations, as CNN explained in its report.

However, if a patient is notified or finds out, he or she could theoretically sue the company, since the data stolen is protected by the federal health records protection law, the Health Insurance Portability and Accountability Act (HIPAA).

The FBI confirmed to Reuters that it’s investigating the case. In May, the U.S. government brought charges against five members of the Chinese military for their alleged role in protracted cyberespionage operations against U.S. companies. China has long denied sponsoring any such activity, arguing that all U.S. accusations are unfounded.

Have something to add to this story? Share it in the comments.