Hackers exploit Heartbleed to swipe data of 4.5 million
In the second biggest HIPAA breach ever reported, one of the nation's largest healthcare systems has notified some 4.5 million of its patients that their personal information has been snatched by cybercriminals.
The Franklin, Tenn.-based Community Health Systems, which operates 206 hospitals across 29 states, in an Aug. 18 federal security filing reported that hackers were able to gain access to CHS' systems throughout April and June 2014.
The hacking group, which investigators say was carried out by Chinese Advanced Persistent Threat, "used highly sophisticated malware and technology," the report stipulated.
"The attacker was able to bypass the company's security measures and successfully copy and transfer certain data outside," company officials wrote in the filing. This is the largest hacking-related HIPAA data breach that has ever been reported, according to data from the Office for Civil Rights.
According to sources from information security firm TrustedSec, the hackers exploited CVE-2014-0160, also known as the OpenSSL Heartbleed vulnerability. They were able to do so by gaining user credentials via a Community Health System Juniper device through the Heartbleed flaw. Then, as TrustedSec officials pointed out, they used the credentials to log in via a virtual private network.
The attackers accessed Social Security numbers, patient names, addresses, dates of birth and telephone numbers of 4.5 million people.
Only on Aug. 19 did the Federal Bureau of Investigation issue an alert to healthcare organizations that may be susceptible to an attack, which FBI officials appeared to admit was late to the game. Moreover, the alert was not specific to the CHS hacking incident.
"We're going to look inward and see what we can do to better improve our abilities to get things to you quicker and not be in a reactive mode," said Michael Rosanova, supervisory special agent at the FBI, in an Aug. 21 HITRUST cyber threat briefing. "We may stumble and fall again, but we're going to try not to."
Rosanova explained that one of the difficulties related to getting these alerts out is that they typically deal with handling classified information, and getting that data into a "usable form" for people who need it is often time consuming.
Following an internal investigation, Community Health Systems learned that the hacker group typically goes after intellectual property, including medical device and equipment development data.
Since the open community discovered the Heartbleed vulnerability in early April, it's been a chief priority for healthcare security professionals.
The flaw was "top of the food chain," for Phil Lerner, chief information security officer at Beth Israel Deaconess Medical Center, who talked with Healthcare IT News back in April. It's one of those things the healthcare industry will "stumble on for a little while," he added.
"We're learning through experience and what we see happening out there, that more and more of the focus of breaches and attempts to get into systems is being turned toward healthcare," said Ed Marx, CIO at Texas Health Resources, in an interview with Healthcare IT News this summer. "As opposed to in the past, it may have been strictly retail."
Speaking at the Healthcare IT News Privacy and Security Forum earlier this year, Jim Doggett, chief security officer and chief technology risk officer at the 38-hospital Kaiser Permanente, seemed to agree.
"Cybercriminal is an industry," he said. "It's well funded; it's well organized. They're patient, and they make money."
Just this February, the five-hospital St. Joseph Health System in Texas notified some 405,000 of its patients their data had been compromised following a three-day long data security attack.
More than eight million Americans have had their protected health information compromised in hacking-related HIPAA breaches, according to OCR data. And in the last four years, criminal data attacks on the healthcare industry have skyrocketed 100 percent. To date, more than 39 million people have been impacted by HIPAA breaches.