Hacked US Hospital Operator Thought To Be Victim Of Heartbleed

Community Health Systems (CHS), the US operator of hospital healthcare who lost 4.5 million patient records in a recent data breach, is believed to have fallen victim to the much-lamented Heartbleed vulnerability in OpenSSL encryption.

According to David Kennedy, CEO of TrustedSec and former employee of the US National Security Agency (NSA), hackers got into the patient database using the unpatched bug in equipment made by Juniper Networks.

This would make the incident the biggest data breach to exploit Heartbleed to date. CHS previously said the digital forensics work conducted by the law enforcement agencies and security specialist Mandiant, a subsidiary of FireEye, leads it to believe that the attack originated from China.

OpenSSL issued a patch in April, several days after Heartbleed was disclosed, while the data breach occurred between April and June. This would suggest that attackers used the fresh vulnerability to hit the systems that weren’t updated – something that’s bound to cause discomfort at the CHS.

The plot thickens

Heartbleed (official designation CVE-2014-0160), was discovered by researchers from Finnish security firm Codenomicon and Neel Mehta from Google Security. It allows the attacker to obtain the encryption keys used by a website, decrypt any past and future traffic to the protected services and to impersonate those services at will.

To make matters worse, any attack that uses Heartbleed is virtually undetectable, and security experts are still not sure whether the bug was widely known among cyber criminals before it was made public. It was estimated in April that the vulnerability affected the security of as many as two-thirds of all websites, including those of social networks and banks.

TrustedSec says that according to its sources, Heartbleed was left unpatched in the equipment used by CHS to provide remote access to employees via Virtual Private Networks (VPNs). Attackers were able to glean user credentials from memory on a piece of Juniper hardware, which were then used to log into VPN and eventually led to the patient database.

Data stolen in the breach included names, addresses, birth dates, telephone numbers and Social Security numbers of people who received medical services from CHS in the past five years. No financial data or medical information was compromised.

“This is the first confirmed breach of its kind where the Heartbleed bug is the known initial attack vector that was used,” said TrustedSec in a statement.

“What we can learn here is that when something as large as Heartbleed occurs (rare) that we need to focus on addressing the security concerns immediately and without delay.  Fixing it as soon as possible or having compensating controls in place days before could have saved this entire breach from occurring in the first place.”

What do you know about crime and punishment in the digital age? Take our quiz!

Max Smolaks

Max 'Beast from the East' Smolaks covers open source, public sector, startups and technology of the future at TechWeekEurope. If you find him looking lost on the streets of London, feed him coffee and sugar.

Recent Posts

Ericsson To Cut 1,200 Jobs in Sweden Amid ‘Challenging’ Market

Swedish telecoms giant Ericsson blamed “challenging mobile networks market” and “further volume contraction” for job…

35 mins ago

FTX’s Sam Bankman-Fried Sentenced To 25 Years In Prison For $8bn Fraud

Dramatic downfall. Sam Bankman-Fried sentenced to 25 years in prison for masterminding $8bn fraud that…

1 hour ago

Elon Musk Orders FSD Demo For Every Tesla US Sale

Fallout avoidance? Tesla buyers in the US must be shown how to use the FSD…

2 hours ago

Amazon Pumps Another $2.75 Billion Into Anthropic

Amazon completes its $4bn investment into AI firm Anthropic, after providing an additional $2.75bn in…

4 hours ago

The Sustainability of AI

While AI promises unparalleled efficiency, productivity, and innovation, questions regarding its environmental impact loom large.…

7 hours ago

Trump’s Truth Social Makes Successful Market Debut

Shares in Donald Trump’s social media company rose about 16 percent after first day of…

7 hours ago