Hackers have reportedly used Heartbleed internet vulnerability to hack into the database of US-based hospitals group Community Health Systems.
Information security firm TrustedSec said that the attackers used the bug in equipment made by Juniper to log into the computer system of the hospital.
TrustedSec said in a blog post that confirmation of the initial attack vector was obtained from a trusted and anonymous source close to the CHS investigation.
The company added that the attackers were able to glean user credentials from memory on a CHS Juniper device via the heartbleed vulnerability, and use them to log in via a VPN.
Discovered in the open-source encryption software OpenSSL in April, the Heartbleed bug leaves systems running on the widely-used cryptographic software library vulnerable. The bug has since been rectified.
If confirmed, the CHS hack would be the biggest data breach to have happened through Heartbleed. Previously this year, the database of Canada Revenue Agency was hacked and social insurance numbers of about 900 citizens were stolen from the website.
CHS said on Monday that its computer network was hacked in April and June by an ‘advanced persistent threat’ group believed to orginate from China.
The company said that the attacker was able to bypass the company’s security measures and copy and transfer certain data outside the company.
Details of approximately 4.5 million individuals were breached.
Data such as patient names, addresses, birthdates, telephone numbers and social security numbers, which is protected under the Health Insurance Portability and Accountability Act, was compromised.
Image: The data of 4.5 million individuals was breached in the CHS hack. Photo: courtesy of Salvatore Vuono at Freedigitalphotos.net.