Cybercriminals exploited the OpenSSL Heartbleed bug in a Juniper Networks device, resulting in a massive data breach at Community Health Systems Inc. that could impact up to 4.5 million patients.
The attack originated in China and used highly sophisticated malware, according to Community Health Systems, which provides management, consulting and information technology services for health-care providers. The company acknowledged the breach on Wednesday, indicating that its computer network was targeted by attackers in separate intrusions conducted in April and June. The stolen data includes patient names, addresses, birth dates, Social Security numbers, and, in some cases, telephone numbers, and the names of employers or guarantors, the company said.
Not all patients or doctors affiliated with Community Health Systems Professional Services Corp. (CHSPSC) are impacted by the breach, the company said.
"CHSPSC has implemented efforts designed to protect against future intrusions," according to a company statement about the breach posted on its website. "These efforts include implementing additional audit and surveillance technology to detect unauthorized intrusions, adopting advanced encryption technologies and requiring users to change their access passwords."
The United States Computer Emergency Readiness Team (US-CERT) said it is working with the FBI and the Department of Health and Human Services to gain information about the tactics used in the breach and provide guidance to other health-care providers to take precautions.
The initial attack vector is believed to be the OpenSSL Heartbleed vulnerability, targeted in a Juniper device, according to Strongsville, Ohio-based TrustedSec, citing an "anonymous source" close to the investigation. The security consultancy and solution provider, headed by security industry veteran David Kennedy, said the attackers were able to get user credentials from the memory of the Juniper device, which was vulnerable to the Heartbleed flaw at the time. The attackers used the stolen credentials to log into the corporate network through the Community Health Systems VPN, Kennedy said in a blog post about the security breach.
"This is the first confirmed breach of its kind where the Heartbleed bug is the known initial attack vector that was used," Kennedy said. "There are sure to be others out there, however, this is the first known of its kind."
Security experts have warned that the dangerous flaw could be used by criminals to intercept passwords, user names and other sensitive information as the it crosses the corporate network. TrustedSec said that once inside, the attackers moved to the Community Health Systems database containing the patient records.
"What we can learn here is that when something as large as Heartbleed occurs [rare], that we need to focus on addressing the security concerns immediately and without delay," Kennedy said. "Fixing it as soon as possible or having compensating controls in place days before could have saved this entire breach from occurring in the first place."
The Canada Revenue Agency rushed to patch a web server containing the Heartbleed bug in April, after investigators there determined an attack exposed data affecting 900 Canadian citizens.
The OpenSSL Project issued a patch in April, repairing the vulnerability. The coding error in the open source encryption protocol impacted a variety of commercially available networking devices, including widely used firewall and VPN appliances from Cisco Systems, Juniper Networks and others. Juniper identified eight products containing the Heartbleed vulnerability and issued patches to customers.
These included Junos OS 13.3R1, along with certain versions of Juniper Network Connect, Junos Pulse and Odyssey clients versions 5.6r5 and later. Juniper's SSL VPN software also was impacted.
NEXT: Heartbleed Bug Had No Easy Fix, Say Solution Providers