Community Health Systems, which operates 206 hospitals around the U.S., announced today that in a recent data breach hackers stole data on 4.5 million patients, including names, Social Security numbers, addresses, birthdays and telephone numbers. The hackers did not steal information about patients’ medical histories, clinical operations or credit cards.

According to a CNN report, anyone who received treatment from a network-owned hospital in the last five years, or was just referred there by an outside doctor, is affected.

The company operates hospitals in 28 states, but predominantly in Alabama, Florida, Mississippi, Oklahoma, Pennsylvania, Tennessee and Texas.

Community Health Systems hired cybersecurity investigators from Mandiant to confirm the loss, and the investigators determined that the hackers were in China, using high-end, sophisticated malware to launch the attacks sometime in April and June this year, CNN reports.