updated 05:15 pm EDT, Wed August 20, 2014
OpenSSL vulnerability the first attack vector, occured shortly after bug announced
Security firm TrustedSec says that it learned how hackers were able to obtain records from Community Health Systems (CHS). According to a statement released by the firm yesterday, the initial attack occurred through an OpenSSL vulnerability. An anonymous source tied to the investigation told the company that Heartbleed, a vulnerability that has made headlines in recent history, is to blame for the breach.
CHS recently reported in a filing to the United States Securities and Exchange Commission that it was the target of data theft from April to July. While the company was eventually able to halt the transfer of data, it was found that hospital patient records including names, addresses and Social Security numbers for 4.5 million patients were stolen. Details on the method and type of attack were unknown, other than to say a Chinese group was responsible.
TrustedSec states that it received the first details on the breach from an anonymous source close to the case. The source told the firm that attacking OpenSSL through the Heartbleed bug was the "initial attack vector," which would allow the attackers to gain complete access to the system afterward. Credentials were obtained through the memory on a CHS Juniper device.
David Kennedy, the founder of TrustedSec, spoke with Bloomberg about the attack, adding that there was no proof prior to the information leak that CHS systems were attacked. Bloomberg reached out to CHS about the Heartbleed bug as the access entry point, but spokeswoman Tomi Galin declined to comment.
The CHS system was accessed about a week after Heartbleed was announced, but before the company was able to patch its systems. TrustedSec says that this is the "first confirmed breach of its kind" that is tied to Heartbleed as the first wave of attack.