(Adds details on link to Heartbleed bug, previous FBI alerts)
By Jim Finkle
BOSTON Aug 20 The FBI has warned that
healthcare industry companies are being targeted by hackers,
publicizing the issue following an attack on U.S. hospital group
Community Health Systems Inc that resulted in the theft
of millions of patient records.
"The FBI has observed malicious actors targeting healthcare
related systems, perhaps for the purpose of obtaining Protected
Healthcare Information (PHI) and/or Personally Identifiable
Information (PII)," the agency said in a "Flash" alert obtained
by Reuters on Wednesday.
"These actors have also been seen targeting multiple
companies in the healthcare and medical device industry
typically targeting valuable intellectual property, such as
medical device and equipment development data," the one page
The FBI and Department of Homeland Security periodically
release alerts to provide U.S. businesses with technical details
and other information they can use to either prevent or identify
cyber attacks. Such reports are typically only issued to
businesses and not distributed to the general public.
The FBI has been concerned about healthcare providers for
several months. In April, it warned the industry that its
systems were lax compared with other sectors, making it
vulnerable to hackers looking to access bank accounts or obtain
The agency has also reached out to other industries,
including a warning to retailers in January alerting them to
expect more credit card breaches in the wake of last year's
attack on Target Corp.
The recent alert to healthcare companies did not identify
any specific victims targeted by hackers. An agency spokesman
declined to comment on the document.
Community Health, the No. 2 U.S. publicly traded hospital
operator, disclosed the attack on Monday, saying stolen data
included patient names, addresses, birth dates and Social
The healthcare company has said little about how its network
David Kennedy, an expert in healthcare security, said he has
learned the hackers broke into the company's computer system
using a piece of networking equipment that had not been patched
to fix the "Heartbleed" Internet bug. The break-in was the first
known large-scale cyber attack to exploit that vulnerability.
Kennedy, who is chief executive of TrustedSec LLC, said
multiple people familiar with the investigation told him hackers
exploited the bug in a piece of Juniper Networks Inc
equipment to obtain employee credentials and access the
company's network. Once in, they hacked their way into a
database containing Social Security numbers and other records.
Juniper spokeswoman Danielle Hamel declined to comment on
the breach, but said her company issued patches in April to
protect customers against Heartbleed.
Community Health spokeswoman Tomi Galin did not respond to
requests for comment on Heartbleed.
(Reporting by Jim Finkle. Editing by Andre Grenon)