Heartbleed bug used in huge Community Health Systems data breach

Hackers have stolen the personal data of 4.5 million U.S. medical patients in first known large-scale cyberattack using the notorious Heartbleed security bug.

Personal data from 4.5 million U.S. medical patients stolen

Heartbleed is a bug in the code used for making communications secure on more than two-thirds of active websites on the internet, as well as email and chat servers and virtual private networks.

Hackers stole the personal data of about 4.5 million patients of U.S. hospital group Community Health Systems Inc. after breaking into the company's computer system by exploiting the Heartbleed internet bug. According to a security expert, the incident is the first known large-scale cyberattack using the pernicious vulnerability that surfaced in April.

Heartbleed is a major bug in OpenSSL encryption software that is widely used to secure websites and technology products including mobile phones, data center software and telecommunications equipment. It makes systems vulnerable to data theft by hackers who can attack them without leaving a trace.

The bug had previously been used to steal 900 social insurance numbers from the Canada Revenue Agency website, causing the agency to shut down online tax filing for several days during tax season this past April. Its discovery left many internet companies such as Yahoo scrambling to patch their services.

In the latest attack, hackers got into the system by using the Heartbleed bug in equipment made by Juniper Networks Inc, David Kennedy, chief executive of TrustedSec LLC, told Reuters on Wednesday.  BBC News reported that the attack took place in April and June.

Kennedy said that multiple sources familiar with the investigation into the attack had confirmed that Heartbleed had given the hackers access to the system.

Community Health Systems said on Monday that the attack had originated in China.

Bug used to steal VPN logins

Kennedy, who testified before the U.S. Congress on security flaws in the website that Americans use to sign up for Obamacare health insurance programs, said the hospital operator uses Juniper's equipment to provide remote access to employees through a virtual private network, or VPN.

The hackers used stolen credentials to log into the network posing as employees, Kennedy said. Once in, they hacked their way into a database and stole millions of social security numbers and other records, he said.

Community Health Systems, one of the biggest U.S. hospital groups, said the information stolen included patient names, addresses, birth dates, phone numbers and social security numbers of people who were referred or received services from doctors affiliated with the company over the last five years.

Representatives of Community Health Systems could not be reached for comment outside regular U.S. business hours. A Juniper spokeswoman said she had no immediate comment.

A spokesman for FireEye Inc's Mandiant forensics unit, which is leading the investigation into the breach, declined to comment.

The Canada Revenue Agency said in April that the private information of about 900 people had been compromised after hackers exploited the Heartbleed bug. 


To encourage thoughtful and respectful conversations, first and last names will appear with each submission to CBC/Radio-Canada's online communities (except in children and youth-oriented communities). Pseudonyms will no longer be permitted.

By submitting a comment, you accept that CBC has the right to reproduce and publish that comment in whole or in part, in any manner CBC chooses. Please note that CBC does not endorse the opinions expressed in comments. Comments on this story are moderated according to our Submission Guidelines. Comments are welcome while open. We reserve the right to close comments at any time.

Become a CBC Member

Join the conversation  Create account

Already have an account?