Heartbleed bug reportedly behind major Community Health Systems data breach

Hospital IT

Hackers are believed to have exploited a weakness caused by the Heartbleed bug to steal the personal data of 4.5 million patients from one of the USA's largest medical firms, Community Health Systems (CHS).

David Kennedy, chief executive of IT security consultant TrustedSec, told Reuters that the vulnerability came about in April 2014 when Heartbleed-infected equipment was used.

Heartbleed itself is a major flaw that affects the integrity of the SSL/TLS encryption, which secures internet services and transactions. Hackers were able to access the CHS system without leaving a trace by taking advantage of this programming error.

According to Kennedy, CHS used the equipment to give employees remote access via a virtual private network.

News of the breach emerged from a regulatory filing yesterday in which CHS revealed that no medical information or credit card numbers were taken.

The attack affects patient data from all 206 of the firm's hospitals, which are located across 29 states, and could put victims at risk of identity theft.

Names, addresses, birth dates, telephone numbers and Social Security numbers of patients who appeared anywhere in the hospital group's data system within the last five years were accessed.

Eric Chiu, president of the cloud control company HyTrust, said the data accessed by the hackers is often only accessible to employees.

"This type of data is generally stored on servers in the core of a datacentre that would require employee access.

"It's likely that this data was stolen over days or even weeks or months without being detected, which would also indicate that the attack leveraged or came from the inside," he added.

Apt 18, an organisation thought to associate with the Chinese government, is the hacking group thought to be responsible for the cyber attack, according to security experts.

Charles Carmakal is the managing director of FireEye's Mandiant forensics unit, the company that investigated the attack back in April. He said: "[Apt 18] has fairly advanced techniques for breaking into organisations as well as maintaining access for fairly long periods of time without getting detected."

However, Amichai Shulman, CTO for datacentre security specialist Imperva, said the breach could be attributed to a criminal organisation using a commercialised version of the malware previously used by the Chinese hackers.

"Rather than actually infiltrate the organisation like Chinese cyber intelligence units, the criminal hackers used an automated tool that searched for specific personal intelligence data by, for instance, looking for SSN patterns."

The security measures employed by the company have since come under fire for enabling such a prolonged cyber attack to take place.

"Breaches like this are almost expected," according to Steve Hultquist, chief evangelist at RedSeal Networks, a company that prevents cyber attacks.

Limiting defenses to typical security controls and monitoring systems is not enough, he added.

"Organisations must use proactive security analytics to determine possible access to ensure their other security investments are appropriately deployed and functioning as intended."

But, according to Philip Lieberman, president of Lieberman Software, there is simply no financial incentive for hospital groups to heighten their data security.

"There is no incentive for them to invest, nor is there any material consequence of their failure to protect their infrastructure," he said.

CHS is insured against cyber losses and said it does not expect to see a material adverse effect on financial results at this time. Monday saw the group's stock rise 1.3 per cent on the New York Stock Exchange.

In response, Jrme Segura, senior security researcher at anti-malware firm Malwarebytes said: "The medical sector is not as well protected against such attacks as other sectors and often times firms will rely on their liability insurance to cover themselves instead of dedicating a budget for cyber security.

"This may work from a business standpoint in a typical risk versus cost scenario but it completely ignores the implications on individuals who may face the pain and worry of identity theft or privacy violations," Segura concluded.

This article was first pubilshed on19/08/14 and was updated on 20/08/14 to reflect new information.