Chinese hackers exploited the Heartbleed Internet security flaw to steal data on 4.5 million patients of Community Health Systems Inc. (CYH), the first known breach of a company by use of the vulnerability, said a person involved in the investigation who wasn’t authorized to comment publicly.
Community Health, the second-biggest for-profit U.S. hospital chain, disclosed yesterday that Chinese hackers stole patients’ Social Security numbers, names and addresses, without revealing how the hackers got in.
The group suspected of being responsible for the attack has a history of stealing intellectual property from health-care companies, and security specialists say it’s unusual for such thieves to turn to personal data.
The Heartbleed flaw, which was made public on April 7, was considered significant because it allows hackers to steal secret keys used to encrypt user names, passwords and other digital data. The revelation sent companies and security researches rushing to patch their computer networks.
“We never had any tangible proof of an attack until now,” said David Kennedy, founder of TrustedSec LLC, a security consulting company based in Cleveland, Ohio, who first reported Heartbleed was used to attack Community Health on his company’s website. Kennedy, who isn’t involved in the investigation, said he was told about the connection from three people close to the matter whose names he wouldn’t disclose.
This may be the first of many cases linked to Heartbleed. Investigators may have trouble determining whether the motive of the Community Health attack was to steal data that could be resold or provide access to bank accounts, or whether hackers were stealing on behalf of the Chinese government.
Tomi Galin, a spokeswoman for Franklin, Tennessee-based Community Health, declined to comment on the use of Heartbleed in the attack. She said in an e-mail yesterday that “no patient medical or financial information was transferred as a result of this intrusion.”
The Chinese hackers exploited the Heartbleed flaw to steal user names and passwords to access one of the company’s private communications channels, Kennedy said. The incursion happened about a week after Heartbleed was made public and before Community Health altered its security to reduce its vulnerability, Kennedy said.
The attacks occurred in April and June, Community Health said in a U.S. regulatory filing.
Heartbleed is a programming mistake in OpenSSL, used by Internet companies to secure traffic flowing between servers and computers. SSL refers to an encryption protocol known as Secure Sockets Layer and its use is indicated by a closed padlock appearing on browsers next to a website’s address.
Paul Bresson, a spokesman for the Federal Bureau of Investigation, which is probing the Community Health attack, declined to comment.
The Chinese embassy in Washington said it wasn’t aware of the attack.
“Chinese laws prohibit cyber crimes of all forms and Chinese government has done whatever it can to combat such activities,” Geng Shuang, an embassy spokesman, said in an e-mail yesterday. “Making groundless accusations at others is not constructive at all and does not contribute to the solution of the issue.”
To contact the reporter on this story: Chris Strohm in Washington at firstname.lastname@example.org