Hackers Exploit Heartbleed To Swipe Data Of 4.5 Million

Erin McCann | Healthcare IT News | December 12, 2014

In the second biggest HIPAA breach ever reported, one of the nation's largest healthcare systems has notified some 4.5 million of its patients that their personal information has been snatched by cybercriminals.  The Franklin, Tenn.-based Community Health Systems, which operates 206 hospitals across 29 states, in an Aug. 18 federal security filing reported that hackers were able to gain access to CHS' systems throughout April and June 2014.  The hacking group, which investigators say was carried out by Chinese Advanced Persistent Threat, "used highly sophisticated malware and technology," the report stipulated.

According to sources from information security firm TrustedSec, the hackers exploited CVE-2014-0160, also known as the OpenSSL Heartbleed vulnerability. They were able to do so by gaining user credentials via a Community Health System Juniper device through the Heartbleed flaw. Then, as TrustedSec officials pointed out, they used the credentials to log in via a virtual private network.

The attackers accessed Social Security numbers, patient names, addresses, dates of birth and telephone numbers of 4.5 million people.  Only on Aug. 19 did the Federal Bureau of Investigation issue an alert to healthcare organizations that may be susceptible to an attack, which FBI officials appeared to admit was late to the game. Moreover, the alert was not specific to the CHS hacking incident...