U.S. hospital breach biggest yet to exploit Heartbleed bug: expert

Wed Aug 20, 2014 2:29am EDT

A lock icon, signifying an encrypted Internet connection, is seen on an Internet Explorer browser in a photo illustration in Paris April 15, 2014.   REUTERS/Mal Langsdon

A lock icon, signifying an encrypted Internet connection, is seen on an Internet Explorer browser in a photo illustration in Paris April 15, 2014.

Credit: Reuters/Mal Langsdon

Related Topics

(Reuters) - Hackers who stole the personal data of about 4.5 million patients of hospital group Community Health Systems Inc broke into the company's computer system by exploiting the "Heartbleed" internet bug, making it the first known large-scale cyber attack using the flaw, according to a security expert.

The hackers, taking advantage of the pernicious vulnerability that surfaced in April, got into the system by using the Heartbleed bug in equipment made by Juniper Networks Inc, David Kennedy, chief executive of TrustedSec LLC, told Reuters on Wednesday.

Kennedy said that multiple sources familiar with the investigation into the attack had confirmed that Heartbleed had given the hackers access to the system.

Community Health Systems said on Monday that the attack had originated in China.

Kennedy, who testified before the U.S. Congress on security flaws in the healthcare.gov website that Americans use to sign up for Obamacare health insurance programs, said the hospital operator uses Juniper's equipment to provide remote access to employees through a virtual private network, or VPN.

The hackers used stolen credentials to log into the network posing as employees, Kennedy said. Once in, they hacked their way into a database and stole millions of social security numbers and other records, he said.

Heartbleed is a major bug in OpenSSL encryption software that is widely used to secure websites and technology products including mobile phones, data center software and telecommunications equipment.

It makes systems vulnerable to data theft by hackers who can attack them without leaving a trace.

Community Health Systems, one of the biggest U.S. hospital groups, said the information stolen included patient names, addresses, birth dates, phone numbers and social security numbers of people who were referred or received services from doctors affiliated with the company over the last five years.

Representatives of Community Health Systems could not be reached for comment outside regular U.S. business hours. A Juniper spokeswoman said she had no immediate comment.

A spokesman for FireEye Inc's Mandiant forensics unit, which is leading the investigation into the breach, declined to comment.

Canada's tax-collection agency said in April that the private information of about 900 people had been compromised after hackers exploited the Heartbleed bug.

(Reporting by Jim Finkle in Boston and Supriya Kurane in Bangalore; Editing by Gopakumar Warrier and Ted Kerr)

FILED UNDER:
We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see http://blogs.reuters.com/fulldisclosure/2010/09/27/toward-a-more-thoughtful-conversation-on-stories/
Comments (3)
Robertla wrote:
…are you saying that CHS did not patch their systems in April, when remedies became available………? that could be negligence on the part of Community Health Systems

….anyone know when the breaches occurred?

Aug 20, 2014 5:10am EDT  --  Report as abuse
Robertla wrote:
…are you saying that CHS did not patch their systems in April, when remedies became available………? that could be negligence on the part of Community Health Systems

….anyone know when the breaches occurred?

Aug 20, 2014 5:10am EDT  --  Report as abuse
gordo53 wrote:
That it was possible to log into the network remotely is the flaw. Isolating your private network is the one thing that virtually guarantees that hackers (Chinese and others) have no chance of breaching your site. The downside is, of course, that applications that need a public interface to sensitive data need to be modified. There is an expense and some added complexity, but it is not rocket science. To attach your sensitive, valuable data to a public network is pure negligence. It’s like leaving your car unlocked with the keys in it. It is an invitation to thieves.

Aug 20, 2014 9:56am EDT  --  Report as abuse
This discussion is now closed. We welcome comments on our articles for a limited period after their publication.

Full focus