TORONTO – Hackers responsible for the theft of approximately 4.5 million patient records from U.S. hospital group Community Health Systems may have exploited the Heartbleed bug to gain access, according to reports.
According to a report by Reuters, a security expert with TrustedSec LLC believes that hackers gained access to the company’s database by using the SSL vulnerability in networking equipment made by Juniper Networks.
The report cited “multiple sources familiar with the matter,” who confirmed the Heartbleed bug had allowed the hackers access.
Community Health Systems revealed Monday that data from about 4.5 million patients was stolen from its databases. The company said the attack occurred between April and June – when Heartbleed was initially discovered – and suspects the hack came from China.
Community Health Systems is one of the biggest hospital groups in the U.S.
Information stolen from the database includes patient names, addresses, birth dates, phone numbers and social security numbers of those who used doctors affiliated with the company over the last five years.
Heartbleed, which some experts have called the biggest security vulnerability in the history of the Internet, was a flaw found in a line of code in OpenSSL.
The security flaw created an opening in SSL/TLS, an encryption technology marked by the small, closed padlock and “https:” on Web browsers to show that traffic is secure. Heartbleed allowed attackers to snoop on Internet traffic even if the padlock icon was closed.
Until now, one of the biggest known exploits stemming from the Heartbleed bug was the breach of the Canada Revenue Agency’s website. Roughly 900 social insurance numbers were stolen at the height of tax season after the federal agency’s website was crippled by the vulnerability, prompting identity theft concerns.
A 19-year-old Western University student is facing charges in relation to the incident.
If Heartbleed is to blame for the Community Health Systems hack, it would make be the first known large-scale attack using the vulnerability.
© Shaw Media, 2014