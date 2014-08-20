Aug 20 Hackers who stole the personal data of
about 4.5 million patients of hospital group Community Health
Systems Inc broke into the company's computer system by
exploiting the "Heartbleed" internet bug, making it the first
known large-scale cyber attack using the flaw, according to a
security expert.
The hackers, taking advantage of the pernicious
vulnerability that surfaced in April, got into the system by
using the Heartbleed bug in equipment made by Juniper Networks
Inc, David Kennedy, chief executive of TrustedSec LLC,
told Reuters on Wednesday.
Kennedy said that multiple sources familiar with the
investigation into the attack had confirmed that Heartbleed had
given the hackers access to the system.
Community Health Systems said on Monday that the attack had
originated in China.
Kennedy, who testified before the U.S. Congress on security
flaws in the healthcare.gov website that Americans use to sign
up for Obamacare health insurance programs, said the hospital
operator uses Juniper's equipment to provide remote access to
employees through a virtual private network, or VPN.
The hackers used stolen credentials to log into the network
posing as employees, Kennedy said. Once in, they hacked their
way into a database and stole millions of social security
numbers and other records, he said.
Heartbleed is a major bug in OpenSSL encryption software
that is widely used to secure websites and technology products
including mobile phones, data center software and
telecommunications equipment.
It makes systems vulnerable to data theft by hackers who can
attack them without leaving a trace.
Community Health Systems, one of the biggest U.S. hospital
groups, said the information stolen included patient names,
addresses, birth dates, phone numbers and social security
numbers of people who were referred or received services from
doctors affiliated with the company over the last five years.
Representatives of Community Health Systems could not be
reached for comment outside regular U.S. business hours. A
Juniper spokeswoman said she had no immediate comment.
A spokesman for FireEye Inc's Mandiant forensics
unit, which is leading the investigation into the breach,
declined to comment.
Canada's tax-collection agency said in April that the
private information of about 900 people had been compromised
after hackers exploited the Heartbleed bug.
(Reporting by Jim Finkle in Boston and Supriya Kurane in
Bangalore; Editing by Gopakumar Warrier and Ted Kerr)