Hack of hospital chain leads to theft of up to 4.5M users' data

Rusli Posts: 1,019 Influencer


Hack of hospital chain leads to theft of up to 4.5M users' data

Hack of hospital chain leads to theft of up to 4.5M users' data

Community Health Systems is targeted in a massive cyberattack leading to stolen Social Security numbers and patient names and addresses. It's believed the attack originated in China.

    by Dara Kerr
    August 18, 2014 5:18 PM PDT

    more +

screen-shot-2014-08-18-at-6-47-57-pm.pngCommunity Health Systems oversees 206 hospitals in 29 states. Community Health Systems

One of the biggest hospital groups in the US revealed Monday that it suffered a monumental security breach, which possibly led to 4.5 million patients' data being stolen, according to Reuters.

Community Health Systems, which oversees 206 hospitals in 29 states, said the stolen information includes Social Security numbers, patient names and addresses, telephone numbers, and birth dates, according to Reuters. This is the largest known attack to involve hospital patient information since the US government began tracking these types of data breaches in 2009.

"One possible goal of this attack is to facilitate future targeted attacks," Elysium Digital data security expert Joseph Calandrino told CNET. "The type of data that was stolen from the hospital system is often used to verify a person's identify. The exposure of this data creates a risk that the hackers could leverage it to gain access to other accounts and information."

It's believed the cyberattack originated in China, according to Reuters. Security firm Mandiant, which investigated the breach in April and June, said the hackers belong to a group that targets defense, engineering, financial services, and health care companies. It's unclear if these hackers are affiliated with the Chinese government.
Related stories

    Hackers nab 1.2B passwords in colossal breach, says security firm
    Overseas hackers nab more than 1TB of data daily
    Anonymous hacks Ferguson, Mo., police site for dispatch tapes
    Vast majority of hackers believe they're above the law -- survey
    HealthCare.gov security -- 'a breach waiting to happen'

Various security experts have long accused China of waging a cyberwar on US government and private company websites. A report by Mandiant released in 2013 linked China's People's Liberation Army to a large number of cyberattacks on US soil. However, the Chinese government has flatly denied that it is involved in cyber-espionage or hacking.

The cyberattack on Community Health Systems is just one of many over the past few months. Last December, retailer Target revealed 110 million people's data was stolen in a breach, and retailers Neiman Marcus and Michaels Stores were also attacked around the same time. Earlier this month, cybersecurity firm Hold Security identified what is arguably the largest known data breach in history, in which a Russian cybergang allegedly stole 1.2 billion username and password combinations and more than 500 million email addresses.

Community Health Systems told Reuters it stopped the cyberattack by removing the malicious software used by the hackers. The hospital group is currently notifying its patients of the breach.

CNET contacted Community Health Systems for more information, we'll update the story when we hear back.



  • Rusli
    Rusli Posts: 1,019 Influencer



    Heartbleed may be culprit in hospital chain hack

    Hackers reportedly exploited the widespread Internet security flaw to steal the personal information of 4.5 million patients.

        by Don Reisinger
        August 20, 2014 8:23 AM PDT

    Chinese hackers used the widespread Heartbleed security vulnerability to steal the personal information on 4.5 million patients of Community Health Systems, reported Bloomberg on Wednesday.

    Community Health Systems, the second-largest for-profit hospital chain in the US, announced Tuesday that hackers based in China had accessed its network and stolen data on 4.5 million patients. The stolen data included social security numbers, names, and addresses of people who were refereed to or received services at the hospital chain. In a filing with the US Securities and Exchange Commission, Community Health Systems said the hackers used "highly sophisticated malware" to bypass security measures and attack its system -- but didn't go into detail about the cyberattack.

    The Chinese hackers appear to have exploited the so-called Heartbleed bug to steal the data from Community Health Systems, an unnamed person involved in the investigation told Bloomberg.
    Related stories

        Nuclear regulator hacked 3 times in 3 years
        Hack of hospital chain leads to theft of up to 4.5M users' data
        Heartbleed still a threat: Over 300,000 servers remain exposed
        Hip to Heartbleed: 39% of users took steps to protect themselves

    Heartbleed, which was first identified in April, impacts OpenSSL, an open-source software for encrypting information across the Web. It left information stored on data servers -- often user data and personal information -- vulnerable to hackers. What made Heartbleed different: its inherent nature within the OpenSSL framework, which is used by thousands of websites, left huge numbers of servers on the Web exposed. Some hackers were also able to use the flaw to steal servers' digital encryption keys, giving them access to typically encrypted communications.

    After Heartbleed was revealed, companies worldwide worked to patch the bug, but as of June an estimated 300,000 servers remain vulnerable. Along the way, it was also discovered that some governments might have known about the Internet vulnerability and used it for their advantage.

    Community Health Systems said it is working with law enforcement to determine who is responsible for the hack, which occurred between April and June. If the hackers used Heartbleed to access Community Health Systems' servers, it happened after the bug was publicly revealed an being patched by many companies.

    The question on the minds of both the hospital chain and security experts: Why the company was hacked in the first place? Security firm Mandiant, which investigated the breach, said the hackers belong to a group that targets defense, engineering, financial services, and health care companies.

    CNET has contacted Community Health Systems for comment on the report. We will update this story when we have more information.


This discussion has been closed.
Pricing & Product Info