Heartbleed Flaw Said Exploited by Chinese in Hospital Hack

Aug 20, 2014 10:16 am ET

(Updates with Ponemon comments in the 10th paragraph.)

Aug. 20 (Bloomberg) -- Chinese hackers exploited the Heartbleed Web-security flaw to steal data on 4.5 million patients of Community Health Systems Inc., the first known breach of a company by use of the vulnerability, said a person involved in the investigation.

Community Health, the second-biggest for-profit U.S. hospital chain, said Aug. 18 that thieves stole patients’ Social Security numbers, names and addresses, without revealing how the hackers got in. The person involved with the probe wasn’t authorized to comment publicly and requested anonymity.

The group suspected of being responsible for the attack has a history of stealing intellectual property from health-care companies, and security specialists said it’s unusual for such thieves to turn to personal data.

Heartbleed -- a hole in a widely used data-protection technology that existed for two years before the public was alerted to the flaw in April -- gave hackers the ability to steal secret keys used to encrypt user names, passwords and other information. The revelation sent companies and security researches rushing to patch their computer networks.

“We never had any tangible proof of an attack until now,” said David Kennedy, founder of TrustedSec LLC, a security consulting company based in Cleveland, who first reported Heartbleed was used to attack Community Health on his company’s website.

Kennedy, who isn’t involved in the investigation, said he was told about the connection from three people close to the matter whose names he wouldn’t disclose.

Determining Motive

This may be the first of many cases linked to Heartbleed. Investigators may have trouble determining whether the motive of the Community Health attack was to steal data that could be resold or provide access to bank accounts, or whether hackers were stealing on behalf of the Chinese government.

Tomi Galin, a spokeswoman for Franklin, Tennessee-based Community Health, declined to comment on the role of Heartbleed in the attack. She said in an e-mail yesterday that “no patient medical or financial information was transferred as a result of this intrusion.”

The Chinese hackers exploited the Heartbleed flaw to steal user names and passwords to access one of the company’s private communications channels, Kennedy said. The incursion happened about a week after Heartbleed was made public and before Community Health altered its security to reduce its vulnerability, Kennedy said.

The attacks occurred in April and June, Community Health said in an Aug. 18 U.S. regulatory filing.

Infiltrating Hospitals

Hackers from China, Vietnam, South Korea, Russia and former Soviet Union countries are behind hacking attacks on U.S. health-care organizations, said Larry Ponemon, chairman of the Ponemon Institute, an information security research center based in Traverse City, Michigan.

Chinese hackers may be infiltrating hospitals and other providers in an effort to prepare for a larger digital conflict with the U.S. and to test responses, Ponemon said in a phone interview.

Hacking attacks and other forms of data breaches cost U.S. hospitals and health-care providers as much as $5.6 billion annually, according to the institute.

The average cost of data loss or theft to an organization is estimated to be $2.4 million this year, an increase of 20 percent from 2013, Ponemon said. “All of the evidence suggests that health care is vulnerable to attacks,” he said.

Programming Mistake

Heartbleed is a programming mistake in OpenSSL, used by Internet companies to secure traffic flowing between servers and computers. SSL refers to an encryption protocol known as Secure Sockets Layer and its use is indicated by a closed padlock appearing on browsers next to a website address.

Paul Bresson, a spokesman for the Federal Bureau of Investigation, which is probing the Community Health attack, declined to comment.

The Chinese embassy in Washington said it wasn’t aware of the attack.

“Chinese laws prohibit cybercrimes of all forms and Chinese government has done whatever it can to combat such activities,” Geng Shuang, an embassy spokesman, said in an Aug. 18 e-mail. “Making groundless accusations at others is not constructive at all and does not contribute to the solution of the issue.”

--With assistance from Jordan Robertson in San Francisco, Michael Riley in Washington and Cynthia Koons in New York.