Heartbleed May Be to Blame for Chinese Health Care Hack

NEWS ANALYSIS: The hack of 4.5 million health care records might be the latest casualty from the Heartbleed SSL encryption flaw.

Heartbleed and data breach

The recent hack of 4.5 million health care records was a result of the Heartbleed vulnerability, according to a new report from security firm TrustedSec.

On Aug. 18, Community Health Systems disclosed that it was the victim of a data breach affecting its patient records. CHS and its security partner, FireEye's Mandiant division, said the breach came from China. What neither CHS nor FireEye have yet to publicly disclose is how the attackers breached the system.

A FireEye spokesperson told eWEEK that the company is unable to provide any input against TrustedSec's claim because the investigation is still ongoing.

TrustSec claims that the OpenSSL Heartbleed flaw, first publicly disclosed April 7, provided easy access for the CHS attackers. Heartbleed is a flaw in the widely used open-source OpenSSL cryptographic library.

"This confirmation of the initial attack vector was obtained from a trusted and anonymous source close to the CHS investigation," TrustSec stated. "Attackers were able to glean user credentials from memory on a CHS Juniper device via the Heartbleed vulnerability [now said to be fixed] and use them to log in via a VPN."

Juniper Networks told eWEEK that it quickly resolved the Heartbleed issue for its products.

"Juniper is committed to the security and assurance of its products," a Juniper Networks spokesperson wrote in an email statement to eWEEK. "When we learned earlier this year about vulnerabilities in OpenSSL, we reacted with speed and transparency and delivered a remediation for affected products within a day."

Coincidentally, as far back as April 21, only a few short weeks after Heartbleed was first disclosed, FireEye reported that VPNs were at risk from the flaw.

"Beginning on April 8, an attacker leveraged the Heartbleed vulnerability against a VPN appliance and hijacked multiple active user sessions," Mandiant security researchers wrote in a blog post back on April 18. "Specifically, the attacker repeatedly sent malformed heartbeat requests to the HTTPS Web server running on the VPN device, which was compiled with a vulnerable version of OpenSSL, to obtain active session tokens for currently authenticated users."

That sounds a whole lot like what TrustSec is claiming happened at CHS, but FireEye has not admitted any such thing at this time.

TrustSec in its report incorrectly states that the CHS attack is the "first confirmed breach of its kind where the Heartbleed bug is the known initial attack vector that was used."

As eWEEK reported in April, the Canada Revenue Agency was attacked by Heartbleed and law-enforcement officials made an arrest.

It's not surprising that more Heartbleed-related breaches are now becoming known. Given the widespread impact of the Heartbleed flaw, it's unfortunately likely that many more such disclosures will be made in the months ahead.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.