The Inquirer-Home

Heartbleed to blame for plundering of 4.5 million CHSPSC hospital records

OpenSSL flaw likely lead to Community Health Systems Professional Services Corporation hack
Wed Aug 20 2014, 12:37
Hospital patients have had personal details stolen in Chinese hack

HEALTHCARE PROVIDER Community Health Systems Professional Services Corporation (CHPSC) has been hacked, and has seen the personal details of some 4.5 million patients plundered.

CHSPSC confirmed the hack and, its investigation of it, in a statement on its website. There we learn that the firm believes the hack can be placed at the feet of a Chinese hacking group that bypassed security and walked off with the booty.

"CHSPSC believes the attacker was an 'Advanced Persistent Threat' group originating from China, which used highly sophisticated malware technology to attack CHSPSC's systems. The intruder was able to bypass the company's security measures and successfully copy and transfer some data existing on CHSPSC's systems," it said.

"Since first discovering the attack, CHSPSC has worked closely with federal law enforcement authorities in connection with their investigation of the matter."

CHSPSC is contacting affected parties, presumably all 4.5 million of them.

A US Securities and Exchange Commission filing is online, and repeats this. It adds a forensic partner into the mix, which is Mandiant, and it also provides the 4.5 million number.

The filing says that the entrance weakness has been fixed, and that credit card, medical and clinical information has not been touched. However what was lost included patient names, addresses, phone numbers, birthdates and social security numbers.

According to security company Trustedsec, the attackers were able to get into the healthcare systems through a Heartbleed bug weakness in Juniper Networks equipment.

"The initial attack vector was through the infamous OpenSSL "heartbleed" vulnerability which led to the compromise of the information," it said in a post on its website.

"This confirmation of the initial attack vector was obtained from a trusted and anonymous source close to the CHS investigation. Attackers were able to glean user credentials from memory on a CHS Juniper device via the heartbleed vulnerability (which was vulnerable at the time) and use them to login via a VPN." µ


Share this:

blog comments powered by Disqus
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

INQ Poll

Happy new year!

What tech are you most looking forward to in 2015