Heartbleed flaw used by Chinese hackers to attack in US health system

Chinese cyber-criminals exploited an Internet security bug to steal personal information on 4.5 million patients at the for-profit U.S. hospital chain Community Health Systems, a source involved in a probe into the data breach. The bug, known as Heartbleed, “allows hackers to steal secret keys used to encrypt user names, passwords and other digital data.

Heartbleed is a major bug in OpenSSL encryption software that is widely used to secure websites and technology products including mobile phones, data center software and telecommunications equipment. It makes systems vulnerable to data theft by hackers who can attack them without leaving a trace.

The head of TrustedSec - a cybersecurity firm - now alleges that the encryption flaw was exploited.

TrustedSec said a source close to the investigation said the attackers used the flaw to pull user credentials from a “Juniper device”. Once they had those, they were able to log into CHS‘s systems via a VPN and pull 4.5 million people’s records from a database. These were not medical records, but rather names, addresses and social security numbers.

It took Juniper a few weeks to release a patch for Heartbleed, after the flaw was exposed. And, of course, it would have then been up to CHS’s administrators to apply the patch. It didn’t take long after the bug’s exposure for investigators to notice people exploiting it, with victims including the parenting forum Mumsnet and the Canadian tax authority (affecting 900 people) — but the scale of the CHS hack was something else.

“What we can learn here is that when something as large as Heartbleed occurs (rare) that we need to focus on addressing the security concerns immediately and without delay,” TrustedSec wrote. “Fixing it as soon as possible or having compensating controls in place days before could have saved this entire breach from occurring in the first place.”

Community Health Systems, one of the biggest U.S. hospital groups, said the information stolen included patient names, addresses, birth dates, phone numbers and social security numbers of people who were referred or received services from doctors affiliated with the company over the last five years.