US hospital hack began with Heartbleed exploit, security firm claims

U.S. hospital chain Community Health Systems (CHS), which said in a regulatory filing this week that 4.5 million patient records were stolen in a hacking incident, may have been the first really big victim of the Heartbleed bug.

Heartbleed, a serious flaw in the OpenSSL encryption standard, was revealed back in April – it made it possible for attackers to peek into the memory of OpenSSL-protected systems, allowing them to pick up passwords, login details and so on. OpenSSL’s ubiquity meant Heartbleed caused widespread and well-founded panic, as vendors and systems administrators raced to patch their systems.

Security research outfit TrustedSec said on Tuesday that the CHS hack, which happened somewhere between April and June and is believed to have been the work of Chinese hackers, used Heartbleed in its early stages.

TrustedSec said a source close to the investigation said the attackers used the flaw to pull user credentials from a “[company]Juniper[/company] device”. Once they had those, they were able to log into [company]CHS[/company]’s systems via a VPN and pull 4.5 million people’s records from a database. These were not medical records, but rather names, addresses and social security numbers.

It took Juniper a few weeks to release a patch for Heartbleed, after the flaw was exposed. And, of course, it would have then been up to CHS’s administrators to apply the patch. It didn’t take long after the bug’s exposure for investigators to notice people exploiting it, with victims including the parenting forum Mumsnet and the Canadian tax authority (affecting 900 people) — but the scale of the CHS hack was something else.

“What we can learn here is that when something as large as Heartbleed occurs (rare) that we need to focus on addressing the security concerns immediately and without delay,” TrustedSec wrote. “Fixing it as soon as possible or having compensating controls in place days before could have saved this entire breach from occurring in the first place.”