Hacked US Hospital Operator Thought To Be Victim Of Heartbleed

Community Health Systems (CHS), the US operator of hospital healthcare who lost 4.5 million patient records in a recent data breach, is believed to have fallen victim to the much-lamented Heartbleed vulnerability in OpenSSL encryption.

According to David Kennedy, CEO of TrustedSec and former employee of the US National Security Agency (NSA), hackers got into the patient database using the unpatched bug in equipment made by Juniper Networks.

This would make the incident the biggest data breach to exploit Heartbleed to date. CHS previously said the digital forensics work conducted by the law enforcement agencies and security specialist Mandiant, a subsidiary of FireEye, leads it to believe that the attack originated from China.

OpenSSL issued a patch in April, several days after Heartbleed was disclosed, while the data breach occurred between April and June. This would suggest that attackers used the fresh vulnerability to hit the systems that weren’t updated – something that’s bound to cause discomfort at the CHS.

The plot thickens

Heartbleed (official designation CVE-2014-0160), was discovered by researchers from Finnish security firm Codenomicon and Neel Mehta from Google Security. It allows the attacker to obtain the encryption keys used by a website, decrypt any past and future traffic to the protected services and to impersonate those services at will.

To make matters worse, any attack that uses Heartbleed is virtually undetectable, and security experts are still not sure whether the bug was widely known among cyber criminals before it was made public. It was estimated in April that the vulnerability affected the security of as many as two-thirds of all websites, including those of social networks and banks.

TrustedSec says that according to its sources, Heartbleed was left unpatched in the equipment used by CHS to provide remote access to employees via Virtual Private Networks (VPNs). Attackers were able to glean user credentials from memory on a piece of Juniper hardware, which were then used to log into VPN and eventually led to the patient database.

Data stolen in the breach included names, addresses, birth dates, telephone numbers and Social Security numbers of people who received medical services from CHS in the past five years. No financial data or medical information was compromised.

“This is the first confirmed breach of its kind where the Heartbleed bug is the known initial attack vector that was used,” said TrustedSec in a statement.

“What we can learn here is that when something as large as Heartbleed occurs (rare) that we need to focus on addressing the security concerns immediately and without delay.  Fixing it as soon as possible or having compensating controls in place days before could have saved this entire breach from occurring in the first place.”

What do you know about crime and punishment in the digital age? Take our quiz!