Hackers who took the personal information of around 4.5 million patients of hospital group Community Health Systems Inc. broke into the company's computer system by exploiting the "Heartbleed" internet bug, making it the first known large cyber-attack using the flaw, according to a security expert who spoke with Reuters.
The hackers took advantage of the pernicious vulnerability that surfaced in April, got into the system by using the Heartbleed bug in equipment made by Juniper Networks Inc, said David Kennedy, chief executive of TrustedSec LLC, to Reuters this week.
Kennedy confirmed that a number of sources familiar with the investigation into the attack confirmed that Heartbleed provided hackers access to the system.
Community Health Systems said on Aug. 18 that the attack originated in China.
Kennedy testified before the U.S. Congress on security flaws in the healthcare.gov website that people in the U.S. use to sign up for Obamacare health insurance programs. He added that the hospital operator uses Juniper's equipment to provide remote access to employees through a virtual private network (VPN).
The hackers used stolen credentials to log into the network pretending to be employees, Kennedy confirmed. Once they got in, they hacked their way into a database and stole millions of social security numbers and other data.
Heartbleed is a major bug in OpenSSL encryption software that is used to secure websites and technology products like data center software, telecommunications, and mobile phones.
It makes systems vulnerable to data theft by hackers who can attack without anyone knowing about it, according to Reuters.
Community Health Systems is one of the biggest hospital groups in the U.S. It said the information stolen included patient names, social security numbers, birth dates, addresses and phone numbers of people who were referred or received services from doctors affiliated with the company since 2009.
A spokesman for FireEye Inc's Mandiant forensics unit, which is leading the investigation into the breach, has not commented publicly yet regarding the news.
At least 900 people had their information stolen back in April after hackers exploited the Heartbleed bug, according to Canada's tax-collection agency.
See Now: OnePlus 6: How Different Will It Be From OnePlus 5?
