U.S. hospital breach biggest yet to exploit Heartbleed bug-expert
By Jim Finkle and Supriya Kurane
Aug 20 (Reuters) - Hackers who stole the personal data of about 4.5 million patients of hospital group Community Health Systems Inc broke into the company's computer system by exploiting the "Heartbleed" internet bug, making it the first known large-scale cyber attack using the flaw, according to a security expert.
The hackers, taking advantage of the pernicious vulnerability that surfaced in April, got into the system by using the Heartbleed bug in equipment made by Juniper Networks Inc, David Kennedy, chief executive of TrustedSec LLC, told Reuters on Wednesday.
Kennedy said that multiple sources familiar with the investigation into the attack had confirmed that Heartbleed had given the hackers access to the system.
Community Health Systems said on Monday that the attack had originated in China.
Kennedy, who testified before the U.S. Congress on security flaws in the healthcare.gov website that Americans use to sign up for Obamacare health insurance programs, said the hospital operator uses Juniper's equipment to provide remote access to employees through a virtual private network, or VPN.
The hackers used stolen credentials to log into the network posing as employees, Kennedy said. Once in, they hacked their way into a database and stole millions of social security numbers and other records, he said.
Heartbleed is a major bug in OpenSSL encryption software that is widely used to secure websites and technology products including mobile phones, data center software and telecommunications equipment.
It makes systems vulnerable to data theft by hackers who can attack them without leaving a trace. Continued...