Hacked US Hospital Operator Thought To Be Victim Of Heartbleed

Community Health Systems (CHS), the US operator of hospital healthcare who lost 4.5 million patient records in a recent data breach, is believed to have fallen victim to the much-lamented Heartbleed vulnerability in OpenSSL encryption.

According to David Kennedy, CEO of TrustedSec and former employee of the US National Security Agency (NSA), hackers got into the patient database using the unpatched bug in equipment made by Juniper Networks.

This would make the incident the biggest data breach to exploit Heartbleed to date. CHS previously said the digital forensics work conducted by the law enforcement agencies and security specialist Mandiant, a subsidiary of FireEye, leads it to believe that the attack originated from China.

OpenSSL issued a patch in April, several days after Heartbleed was disclosed, while the data breach occurred between April and June. This would suggest that attackers used the fresh vulnerability to hit the systems that weren’t updated – something that’s bound to cause discomfort at the CHS.

The plot thickens

Heartbleed (official designation CVE-2014-0160), was discovered by researchers from Finnish security firm Codenomicon and Neel Mehta from Google Security. It allows the attacker to obtain the encryption keys used by a website, decrypt any past and future traffic to the protected services and to impersonate those services at will.

To make matters worse, any attack that uses Heartbleed is virtually undetectable, and security experts are still not sure whether the bug was widely known among cyber criminals before it was made public. It was estimated in April that the vulnerability affected the security of as many as two-thirds of all websites, including those of social networks and banks.

TrustedSec says that according to its sources, Heartbleed was left unpatched in the equipment used by CHS to provide remote access to employees via Virtual Private Networks (VPNs). Attackers were able to glean user credentials from memory on a piece of Juniper hardware, which were then used to log into VPN and eventually led to the patient database.

Data stolen in the breach included names, addresses, birth dates, telephone numbers and Social Security numbers of people who received medical services from CHS in the past five years. No financial data or medical information was compromised.

“This is the first confirmed breach of its kind where the Heartbleed bug is the known initial attack vector that was used,” said TrustedSec in a statement.

“What we can learn here is that when something as large as Heartbleed occurs (rare) that we need to focus on addressing the security concerns immediately and without delay.  Fixing it as soon as possible or having compensating controls in place days before could have saved this entire breach from occurring in the first place.”

What do you know about crime and punishment in the digital age? Take our quiz!

Max Smolaks

Max 'Beast from the East' Smolaks covers open source, public sector, startups and technology of the future at TechWeekEurope. If you find him looking lost on the streets of London, feed him coffee and sugar.

Recent Posts

Google Warns Of Italian Spyware On Apple, Android Phones

Italian company's hacking tools have been used to spy on Apple, Android smartphones in Italy…

2 days ago

Intel Signals Delay To Ohio Factory Over US Chips Act Dispute

Chip maker warns new factory in Columbus, Ohio could be delayed or scaled back, over…

2 days ago

Silicon UK In Focus Podcast: Sustainable Business

How do sustainable businesses use technology to innovate? And as businesses want to connect sustainability…

2 days ago

Australia Fines Samsung Over Water-Resistance Claims

Samsung rapped over the knuckles by Australian regulator because of 'misleading' Galaxy smartphone water-resistance claims…

3 days ago

Amazon Reveals Alexa Option To Mimic Any Person’s Voice

Bereavement aid for those in mourning? Amazon's Alexa voice assistant could be programmed to sound…

3 days ago