Hack of hospital chain leads to theft of up to 4.5M users' data
http://www.cnet.com/news/hack-of-hospital-chain-leads-to-theft-of-up-to-4-5m-users-data/
Hack of hospital chain leads to theft of up to 4.5M users' data
Hack of hospital chain leads to theft of up to 4.5M users' data
Community Health Systems is targeted in a massive cyberattack leading to stolen Social Security numbers and patient names and addresses. It's believed the attack originated in China.
by Dara Kerr
@darakerr
August 18, 2014 5:18 PM PDT
comments
6
facebook
39
twitter
278
linkedin
119
googleplus
more
more +
screen-shot-2014-08-18-at-6-47-57-pm.pngCommunity Health Systems oversees 206 hospitals in 29 states. Community Health Systems
One of the biggest hospital groups in the US revealed Monday that it suffered a monumental security breach, which possibly led to 4.5 million patients' data being stolen, according to Reuters.
Community Health Systems, which oversees 206 hospitals in 29 states, said the stolen information includes Social Security numbers, patient names and addresses, telephone numbers, and birth dates, according to Reuters. This is the largest known attack to involve hospital patient information since the US government began tracking these types of data breaches in 2009.
"One possible goal of this attack is to facilitate future targeted attacks," Elysium Digital data security expert Joseph Calandrino told CNET. "The type of data that was stolen from the hospital system is often used to verify a person's identify. The exposure of this data creates a risk that the hackers could leverage it to gain access to other accounts and information."
It's believed the cyberattack originated in China, according to Reuters. Security firm Mandiant, which investigated the breach in April and June, said the hackers belong to a group that targets defense, engineering, financial services, and health care companies. It's unclear if these hackers are affiliated with the Chinese government.
Related stories
Hackers nab 1.2B passwords in colossal breach, says security firm
Overseas hackers nab more than 1TB of data daily
Anonymous hacks Ferguson, Mo., police site for dispatch tapes
Vast majority of hackers believe they're above the law -- survey
HealthCare.gov security -- 'a breach waiting to happen'
Various security experts have long accused China of waging a cyberwar on US government and private company websites. A report by Mandiant released in 2013 linked China's People's Liberation Army to a large number of cyberattacks on US soil. However, the Chinese government has flatly denied that it is involved in cyber-espionage or hacking.
The cyberattack on Community Health Systems is just one of many over the past few months. Last December, retailer Target revealed 110 million people's data was stolen in a breach, and retailers Neiman Marcus and Michaels Stores were also attacked around the same time. Earlier this month, cybersecurity firm Hold Security identified what is arguably the largest known data breach in history, in which a Russian cybergang allegedly stole 1.2 billion username and password combinations and more than 500 million email addresses.
Community Health Systems told Reuters it stopped the cyberattack by removing the malicious software used by the hackers. The hospital group is currently notifying its patients of the breach.
CNET contacted Community Health Systems for more information, we'll update the story when we hear back.
Tags:
Security
Internet
Hacking
Malware
Comments
-
http://www.cnet.com/news/heartbleed-may-be-culprit-in-hospital-chain-hack/
Heartbleed may be culprit in hospital chain hack
Hackers reportedly exploited the widespread Internet security flaw to steal the personal information of 4.5 million patients.
by Don Reisinger
@donreisinger
August 20, 2014 8:23 AM PDT
Chinese hackers used the widespread Heartbleed security vulnerability to steal the personal information on 4.5 million patients of Community Health Systems, reported Bloomberg on Wednesday.
Community Health Systems, the second-largest for-profit hospital chain in the US, announced Tuesday that hackers based in China had accessed its network and stolen data on 4.5 million patients. The stolen data included social security numbers, names, and addresses of people who were refereed to or received services at the hospital chain. In a filing with the US Securities and Exchange Commission, Community Health Systems said the hackers used "highly sophisticated malware" to bypass security measures and attack its system -- but didn't go into detail about the cyberattack.
The Chinese hackers appear to have exploited the so-called Heartbleed bug to steal the data from Community Health Systems, an unnamed person involved in the investigation told Bloomberg.
Related stories
Nuclear regulator hacked 3 times in 3 years
Hack of hospital chain leads to theft of up to 4.5M users' data
Heartbleed still a threat: Over 300,000 servers remain exposed
Hip to Heartbleed: 39% of users took steps to protect themselves
Heartbleed, which was first identified in April, impacts OpenSSL, an open-source software for encrypting information across the Web. It left information stored on data servers -- often user data and personal information -- vulnerable to hackers. What made Heartbleed different: its inherent nature within the OpenSSL framework, which is used by thousands of websites, left huge numbers of servers on the Web exposed. Some hackers were also able to use the flaw to steal servers' digital encryption keys, giving them access to typically encrypted communications.
After Heartbleed was revealed, companies worldwide worked to patch the bug, but as of June an estimated 300,000 servers remain vulnerable. Along the way, it was also discovered that some governments might have known about the Internet vulnerability and used it for their advantage.
Community Health Systems said it is working with law enforcement to determine who is responsible for the hack, which occurred between April and June. If the hackers used Heartbleed to access Community Health Systems' servers, it happened after the bug was publicly revealed an being patched by many companies.
The question on the minds of both the hospital chain and security experts: Why the company was hacked in the first place? Security firm Mandiant, which investigated the breach, said the hackers belong to a group that targets defense, engineering, financial services, and health care companies.
CNET has contacted Community Health Systems for comment on the report. We will update this story when we have more information.
Tags:
Security
Internet
Heartbleed
Hacking
Malware