Heartbleed may be culprit in hospital chain hack

Hackers reportedly exploited the widespread Internet security flaw to steal the personal information of 4.5 million patients.

Don Reisinger

CNET contributor Don Reisinger is a technology columnist who has covered everything from HDTVs to computers to Flowbee Haircut Systems. Besides his work with CNET, Don's work has been featured in a variety of other publications including PC World and a host of Ziff-Davis publications.

See full bio

Don Reisinger

Aug. 20, 2014 8:23 a.m. PT

2 min read

Chinese hackers used the widespread Heartbleed security vulnerability to steal the personal information on 4.5 million patients of Community Health Systems, reported Bloomberg on Wednesday.

Community Health Systems, the second-largest for-profit hospital chain in the US, announced Tuesday that hackers based in China had accessed its network and stolen data on 4.5 million patients. The stolen data included social security numbers, names, and addresses of people who were refereed to or received services at the hospital chain. In a filing with the US Securities and Exchange Commission, Community Health Systems said the hackers used "highly sophisticated malware" to bypass security measures and attack its system -- but didn't go into detail about the cyberattack.

The Chinese hackers appear to have exploited the so-called Heartbleed bug to steal the data from Community Health Systems, an unnamed person involved in the investigation told Bloomberg.

Heartbleed, which was first identified in April, impacts OpenSSL, an open-source software for encrypting information across the Web. It left information stored on data servers -- often user data and personal information -- vulnerable to hackers. What made Heartbleed different: its inherent nature within the OpenSSL framework, which is used by thousands of websites, left huge numbers of servers on the Web exposed. Some hackers were also able to use the flaw to steal servers' digital encryption keys, giving them access to typically encrypted communications.

After Heartbleed was revealed, companies worldwide worked to patch the bug, but as of June an estimated 300,000 servers remain vulnerable. Along the way, it was also discovered that some governments might have known about the Internet vulnerability and used it for their advantage.

Community Health Systems said it is working with law enforcement to determine who is responsible for the hack, which occurred between April and June. If the hackers used Heartbleed to access Community Health Systems' servers, it happened after the bug was publicly revealed an being patched by many companies.

The question on the minds of both the hospital chain and security experts: Why the company was hacked in the first place? Security firm Mandiant, which investigated the breach, said the hackers belong to a group that targets defense, engineering, financial services, and health care companies.

CNET has contacted Community Health Systems for comment on the report. We will update this story when we have more information.