Massive Hospital Data Breach Linked To Heartbleed Bug

Using the computer bug called ‘Heartbleed’ -- hackers recently launched an unprecedented cyber attack on a large U.S. hospital system and stole the personal health data of 4.5 million patients.

The recent cyber attack on the computer systems of U.S. hospital group Community Health Systems (CHS) resulted to the theft of the personal health information of some 4.5 million patients. The data stolen included names, addresses, phone numbers, birth dates and social security numbers of patients in the hospital network, which operates at least 206 hospitals across 29 states.

Now, an information security expert claims that hackers had used the OpenSSL encryption security flaw called Heartbleed to stealthily gain access to the demographic records of CHS patients. OpenSSL is used by thousands of websites, data centers, mobile phones, and telecommunications systems to protect sensitive personal information. 

In a blog post, David Kennedy of TrustedSec, citing an anonymous and credible source close to the official investigation on the hacking, wrote that the “attackers were able to glean user credentials from memory on a CHS Juniper device via the Heartbleed vulnerability (which was vulnerable at the time) and use them to login via a VPN [virtual private network].” 

If verified, the breach is the largest attack carried out successfully using the Heartbleed bug since it was publicly disclosed in April. The vulnerability allows hackers unfettered and untraceable access to electronic health records (EHRs), patient portals, medical devices, insurance exchanges and telemedicine apps.

Kennedy told Reuters that the hackers used equipment made by Juniper Networks Inc. to hack CHS. The hackers used fake employee log-in credentials to tap into CHS’ database and steal millions of social security numbers and other information.

Shortly after the CHS disclosure, the FBI issued a warning to healthcare organizations and facilities of ongoing and impending cyber security threats. In a flash alert, the agency said, “The FBI has observed malicious actors targeting healthcare related systems, perhaps for the purpose of obtaining Protected Healthcare Information (PHI) and/or Personally Identifiable Information (PII).” 

“These actors have also been seen targeting multiple companies in the healthcare and medical device industry typically targeting valuable intellectual property, such as medical device and equipment development data,” the warning stated, according to Reuters.

CHS did not identify Heartbleed in its SEC filing about the hacking incident. However, the filing described the attack that happened in April and June emanated from China.

A patch has been made shortly after the Heartbleed flaw was discovered in April, and many companies scrambled to have the patch installed. But four months later, the attack on CHS is a reminder that many systems are still vulnerable. 

The FBI had warned in April that the healthcare industry’s computer security practices are not up to par with other industries, such as the financial sector. The recent data breach at CHS underscores that threat. 

But even though the criticism on the healthcare sector is warranted, updating massive systems in a short span of time may be logistically difficult, according to a cybercrime expert.

“Even though a patch might exist, it can be difficult to implement,” Lillian Ablon of RAND Corp. recently told Modern Healthcare. “Doing so may require slowing down or stopping business or a critical piece of equipment for testing or compliance requirements. So it's not as though people don't want to patch—they may just be hampered by other external issues. This leaves many still open and vulnerable.”

Nevertheless, the incident had given renewed urgency to the matter of vulnerable computer systems used in the healthcare industry.

“We’ve not been on the front lines as long as defense or finance… but I’m slowly starting to see that shift as I talk to my peers,” Reid Stephan, director of IT security at St. Luke’s Health System, said in a Wall Street Journal article.

Speaking during a monthly cyber threat briefing, Roy Mellinger, vice president and chief information security officer at insurance company WellPoint, acknowledged that the sector should beef up its security measures, and pointed out that what is crucial is to get “information across the sector to let healthcare executives know what is going on and if they are taking the right steps to keep data secure,” according to a FierceHealthIT report.