Heartbleed exploited in Community Health Systems data breach

By  | 

Community Health Systems, one of the US’s largest network of hospital operators has revealed that it had suffered a data breach earlier this year, compromising the personal identification data of “approximately 4.5 million patients”, and the recently discovered & patched heartbleed bug is to blame.

Community Health Systems operates about 206 hospitals located in 29 states with a major focus on rural areas. The purpose of the attack remains to be unclear. The data stolen include the personal identification data such as names, telephone numbers, birthdates, addresses, social security numbers, etc., and details including patient credit card, medical, or clinical information were not compromised.

The attacker is believed to be the ‘Advanced Persistent Threat Group’ from China that is said to use “highly sophisticated malware and technology” to attack the network to watch over the email conversations and other sensitive information stored and steal data.

According to the SEC filing, the federal authorities have informed the Community Health Systems that the data breach, occurred between April and June 2014, was typically about the information related to medical devices and equipment development.

Community Health Systems said that it has started notifying those patients whose information was stolen. The company noted that Mandiant, its IT security contractor, has removed the malware that was used to steal information from its network and has also taken preventive measures to safeguard information from future attacks.

The hackers managed to get into the system by exploiting heartbleed bug in equipment made by Juniper Networks Inc, according to David Kennedy, chief executive of TrustedSec LLC.

Kennedy added that the perpetrators used stolen credentials to log into their target’s network posing as employees and once they were in they managed to hack into the database and siphoned off millions of social security numbers and other records.