A hack on a US healthcare company which gave attackers 4.5 million records may have begun with the Heartbleed exploit, according to security research firm TrustedSec. The data breach was revealed in a regulatory filing by Community Health Systems (CHS), which makes no mention of the OpenSSL flaw.
On Tuesday TrustedSec posted an attack analysis on its website, which indicates that Heartbleed was confirmed as the initial attack vector by an “anonymous source close to the CHS investigation.” According to TrustedSec, attackers used the Heartbleed vulnerability to access the memory of a Juniper device, where they found user credentials. Those credentials were used to log-in the attackers via VPN, and they subsequently discovered the database with 4.5 million patient records.
No credit card information or intellectual property was stolen, making the attack somewhat unusual for an attack of this size and type, according to the filing. The attack may not be state-sponsored, or originate from the hacking “Unit 61398” previously identified by Mandiant.
“One must keep in mind that China recently emerged as the world’s second largest economy with 618 million Internet users, more than the entire population of the United States,” Jeffrey Lyon, co-founder of Black Lotus told DARKReading. “It is entirely reasonable to expect that an uptick in cyber crime will accompany this growth. It is not proper to automatically assume that the Chinese government itself is responsible for these incidents.”
While CHS says in the filing that it does not believe the “incident will have a material adverse effect on its business or financial results,” data breaches cost healthcare firms $5.6 billion annually.
Community Health Systems shares have been trading over $50 since the breach was disclosed, despite trading at under $40 in May.