U.S.
hospital breach biggest yet to exploit Heartbleed bug:
expert
Send a link to a friend
[August 20, 2014]
By Jim Finkle and Supriya Kurane
(Reuters) - Hackers who
stole the personal data of about 4.5 million patients of
hospital group Community Health Systems Inc broke into
the company's computer system by exploiting the "Heartbleed"
internet bug, making it the first known large-scale
cyber attack using the flaw, according to a security
expert. |
The hackers, taking advantage of the pernicious vulnerability that
surfaced in April, got into the system by using the Heartbleed bug
in equipment made by Juniper Networks Inc, David Kennedy, chief
executive of TrustedSec LLC, told Reuters on Wednesday.
Kennedy said that multiple sources familiar with the investigation
into the attack had confirmed that Heartbleed had given the hackers
access to the system.
Community Health Systems said on Monday that the attack had
originated in China.
Kennedy, who testified before the U.S. Congress on security flaws in
the healthcare.gov website that Americans use to sign up for
Obamacare health insurance programs, said the hospital operator uses
Juniper's equipment to provide remote access to employees through a
virtual private network, or VPN.
The hackers used stolen credentials to log into the network posing
as employees, Kennedy said. Once in, they hacked their way into a
database and stole millions of social security numbers and other
records, he said.
Heartbleed is a major bug in OpenSSL encryption software that is
widely used to secure websites and technology products including
mobile phones, data center software and telecommunications
equipment.
It makes systems vulnerable to data theft by hackers who can attack
them without leaving a trace.
Community Health Systems, one of the biggest U.S. hospital groups,
said the information stolen included patient names, addresses, birth
dates, phone numbers and social security numbers of people who were
referred or received services from doctors affiliated with the
company over the last five years.
[to top of second column] |
Representatives of Community Health Systems could not be reached for
comment outside regular U.S. business hours. A Juniper spokeswoman
said she had no immediate comment.
A spokesman for FireEye Inc's Mandiant forensics unit, which is
leading the investigation into the breach, declined to comment.
Canada's tax-collection agency said in April that the private
information of about 900 people had been compromised after hackers
exploited the Heartbleed bug.
(Reporting by Jim Finkle in Boston and Supriya Kurane in Bangalore;
Editing by Gopakumar Warrier and Ted Kerr)
[© 2014 Thomson Reuters. All rights
reserved.] Copyright
2014 Reuters. All rights reserved. This material may not be
published, broadcast, rewritten or redistributed.
|