TIME Security

Report: Devastating Heartbleed Flaw Was Used in Hospital Hack

It marks the first case of Heartbleed actually being used to hack companies

The infamous Heartbleed Internet security flaw that exposed half a million secure servers to password theft was used by Chinese hackers to steal data from American hospitals, according to a report.

Citing anonymous sources, the data security company TrustedSec told TIME Wednesday that the Heartbleed vulnerability allowed hackers to steal secret keys used to encrypt user names, passwords and other information from Community Health Systems, the second-biggest for-profit U.S. hospital chain. They then used the keys to swipe 4.5 million patients’ data. The attack marks the first known breach of a company by hackers using Heartbleed.

Community Health Systems, which operates 206 hospitals in 29 states, said in an SEC filing Monday that the attackers bypassed its security systems and stole data that included birth dates, names, social security numbers and addresses for 4.5 million patients.

“The initial attack vector was through the infamous OpenSSL “heartbleed” vulnerability which led to the compromise of the information,” TrustedSec said in a blog post. TrustedSec cited three “trusted” and anonymous sources close to the Community Health investigation.

Though the recent attack on Community Health Systems is the first that’s known to have used the Heartbleed vulnerability, it is likely just one of many instances that did, security experts said. Hackers had a wide window for mischief in the period between Heartbleed’s disclosure in early April and companies’ installation of patches to defense against the exploit, which in some cases took days or weeks.

“You had a lag time of a week to several weeks before patches were implemented, so if attackers were scanning companies, there must have been countless situations where hackers used Heartbleed to gain access,” TrustedSec CEO David Kennedy said. “This is just the beginning of many that have either not been discovered, or cases in which companies are working on responding and disclosing now.”

Kennedy said the hospital incursion happened about a week after Heartbleed was first made public.

Most of the well-known attacks attributed to Chinese hackers have targeted valuable intellectual property, particularly telecommunications or defense companies, or large industrial companies. But the recent attack against Community Health instead targeted social security numbers and customer data, signifying a different approach by Chinese cyber criminals, if the attacks indeed came from China.

“The attack against Community Health Systems might not have been for espionage or industrial espionage,” said Nir Polak, the co-founder of security company Exabeam. “The attackers might have just wanted to monetize on cybercrime,” Polak said, which is often the goal of non-governmental cybercrime groups.

Your browser, Internet Explorer 8 or below, is out of date. It has known security flaws and may not display all features of this and other websites.

Learn how to update your browser