Last Monday, Community Health Systems (CHS) filed an 8-K filing with the US Securities and Exchange Commission, confirming a security breach which occurred in April and June, 2014. CHS blamed the breach on a group of Chinese hackers.
The 8-K filing confirms that the hackers managed to get away with patient identification data of approximately 4.5 million individuals. Although the data stolen did not include any medical information, it is still considered protected by the Health Insurance Portability and Accountability Act (HIPAA), and thus CHS is required by the federal and state law, to notify all affected patients.
Although the 8-K filing does not give any details on how the breach has occurred, TrustedSec have revealed that the hack has been made possible using the Heartbleed bug (CVE-20140160), a bug in OpenSSL discovered back in April. It seems that the Heartbleed bug was in a Juniper device, although Juniper did fix the bug eventually, security researches are questioning the time that it took Juniper to come up with a fix for such a critical vulnerability.
Acunetix has been detecting Heartbleed since information about the vulnerability had been made public. Although it is hard to believe, four months on, there are still web servers and devices that are vulnerable to Heartbleed. Scan your websites and internet facing servers today to avoid being the next Heartbleed victim.
UPDATE: More information about Heartbleed now available.