It looks like a familiar culprit is responsible for the theft of information on 4.5 million patients from the Community Health Systems hospital network. Franklin,TN-based Community Health Systems (CHS), a hospital operator that operates 206 hospitals in 29 states across the United States, has confirmed that from April to June 2014, its network suffered a criminal cybersecurity breach. Security experts are saying the hackers responsible exploited the Heartbleed bug.
No data related to credit cards, medical records, or clinical information was stolen. However the hackers were able to obtain the names, birth dates, phone numbers, and social security numbers of the 4.5 million patients. This data is protected under HIPPA compliance rules and is more than sufficient information for savvy hackers to commit identity theft.
CHS has employed American cybersecurity firm Mandiant to investigate the attack. Representatives from Mandiant could not be reached for comment, but a statement from CHS says that the attackers were an “advanced persistent threat” group based in China. While not identified by name, the statements says this Chinese group is notorious for going after valuable intellectual property data such as medical device and equipment development data.
The company would not comment on the specific nature of the attack beyond saying that the hackers were able to install malware – software designed to surreptitiously gather sensitive information or disrupt computer operations – into its systems. However, the cybersecurity community believes the attack was committed using the infamous Heartbleed bug, which made headlines earlier this year when experts discovered the widespread security bug affected a vast number of Internet sites including Yahoo, Google, and GoDaddy, effectively allowed hackers unfettered access to all manner of sensitive information.
Anonymous sources have told information security firm TrustedSec
that the hackers gained access to the CHS network through a network device manufactured by Juniper Networks Inc. that had not been patched to fix the Heartbleed vulnerability. TrustedSec is calling this the first cybersecurity breach of its kind where Heartbleed was exploited as the initial method of attack.
“It has been estimated that up to 70% of systems and devices vulnerable to Heartbleed are still vulnerable,” says Mike Ahmadi, global director of medical security at Codenomicon, the security firm that first discovered the Heartbleed bug. He says that while the initial news of the bug sparked panic and a strong initial push, things have calmed down despite the bug still being very pervasive. “Time tends to falsely convince decision makers that if they have not yet been compromised, they are probably okay, and do not need to invest resources on fixing the problem anymore...even though the exact opposite is true,” Ahmadi says. “As much as everyone seems to love using risk management to make decisions, the truth is that people are just not very good at quantifying cybersecurity risks.”
CHS says the malware has since been removed and measures have been taken. Regulatory agencies as well as parties affected by the breach have been notified. CHS will also be offering identify theft protection services to those affected by the attack. The company does not believe this incident will adversely affect its business or financial results.
[image via FreeDigitalPhotos.net]