Image from Community Health Systems website

China's Heartbleed Hospital Hack
| published August 21, 2014 |

By Thursday Review staff

 

When the web and computer vulnerability called Heartbleed was revealed back in April 2014, security and computer experts warned that it was not clear just how much information or data had already been stolen from millions of computers worldwide.

But a honeypot computer and flycatcher server—each set up as a sort of real-time, online sting operation—was placed into action at the University of Michigan in mid-April, it only took a few hours before hackers with direct links to China were busy attempting to exploit the breach and steal data.

Those hackers, as it turned out, were small potatoes operators—and had in fact been linked to previous cyber-attacks. But they had pounced quickly, and their intrusion proved that when information about computer vulnerabilities travels around the world in hours, the bad guys and the good guys are engaged in an immediate battle. Some want to steal your information, others want to protect it.

Now we have learned that Chinese hackers—apparently unrelated to the ones who were detected testing that computer at the University of Michigan back in April—have managed to steal the medical records of 4.5 million U.S. and Canadian patients. Community Health Systems, Inc., announced this week that hackers used the Heartbleed flaw to gain access to its computers and file servers, stealing names, mailing addresses, medical information, social security numbers, contact phone numbers, and other personal data.

It is also possible that CHS payment data was stolen, including credit card numbers, debit card numbers and the account preferences of patients who used some form of payroll deduction. Though there is a full-scale investigation now under way, by FBI and other law enforcement, no information has been released as to how the intruders gained access, other than that the fact that the Heartbleed flaw gave the thieves an opening.

A spokesperson for CHS declined any public form of comment, but sent an email to some in the media which said that patient financial information had not been compromised during the attack. But the fear among investigators is that information harvested from Community Health Systems’ computers and medical records divisions could be used for exactly that purpose—to gain access to bank accounts, or to harvest social security numbers for identity theft purposes. A networking and computer employee who works for CHS in an Alabama hospital (they requested that we not identify them by name, nor the name of the specific hospital) said that hackers who might have gained access to electronic medical records—names, addresses, social security numbers—would also certainly have the same access to payment information.

According to information provided to the Federal government, the largest intrusions apparently occurred in late April, with brief, intermittent hacks in parts of May and June. The attacks in April happened before Community Health Systems was able to partially resolve the vulnerability. The May and June attacks took place using unresolved flaws—some of those easily fixed with patches developed and deployed in late May and again in June.

Heartbleed was actually discovered a full 18 months before it raised red flags among security experts. Not so much a virus as a vulnerability, Heartbleed allowed hackers to gain backdoor access to encryption keys, enabling thieves to obtain usernames and passwords without leaving much of a trace. Though the flaw only allowed for data to be stolen in small packets (and only from any company or individual using the security tool OpenSSL), a dedicated hacker could easily write a program to steal information in small bites, one bit at a time, over and over. Since Heartbleed was at that time difficult to detect and even harder to fix, hackers could simply repeat the theft of small parcels of data one at a time until 100% of the contents of a computer was in their hands. Locating passwords and other data would then be relatively simple.

Hackers from several countries have maintained an aggressive and ongoing interest in the medical records of Americans for several years. Such data can often be a gold mine to data thieves in Russia, Turkey, China, Iran, Taiwan, Romania, Brazil, Vietnam, and Hungary—the nations with the most hacker activity worldwide. Heartbleed, some security experts now believe, may have been used by individuals and by organized crime in these countries to gain access to other troves of medical data and patient recordkeeping. Since Heartbleed allows intruders to gather information without leaving much of a trace, some worry that data stolen months or years ago may already be in circulation on the cyber-criminal market.

Community Health Systems, based in Franklin, Tennessee, is the second largest for-profit, “non-urban” hospital and clinic chain in the United States. It owns, operates or manages 206 hospitals in the U.S. with a total bed count of 31,100. CHS has facilities in 35 states. The majority of those hospitals are in small-to-medium sized towns and cities. Examples of these locations include: Las Cruces, New Mexico; Crestview, Florida; Fort Wayne, Indiana; Petersburg, Virginia.


Related Thursday Review articles:

Why Heartbleed Causes Heartburn; R. Alan Clanton; Thursday Review; April 15, 2014 (Archives).

New Retail Cyber Threat: Back-Off; Thursday Review staff; August 2, 2015.