Chinese cyber-criminals exploited an Internet security bug to steal personal information on 4.5 million patients at the for-profit U.S. hospital chain Community Health Systems, a source involved in a probe into the data breach told Bloomberg.
The bug, known as Heartbleed, “allows hackers to steal secret keys used to encrypt user names, passwords and other digital data,” Bloomberg reported. In this instance, the cyber thieves stole patients’ Social Security numbers, names and addresses.
The suspected hackers have “a history of stealing intellectual property from health-care companies,” Bloomberg said. However, it’s rare for them to steal personal data.
Indeed, investigators are having a difficult time pinning down a motive for the cyber-attack. Possibilities include selling the personal data, using it to gain access to bank accounts, or stealing on behalf of the Chinese government, but there is no evidence at present to support any of them.
A Community Heath spokesperson told Bloomberg that no patient’s medical or financial information was transferred after the attack.
According to security consultant David Kennedy, who is not involved in the investigation but has talked to several sources who are, the first of two attacks against Community Health came about a week after the Heartbleed flaw was made public on April 7. It happened “before Community Health altered its security to reduce its vulnerability,” he told Bloomberg.
But that change didn’t prevent the second attack, which occurred in June, Bloomberg reported, citing a Community Health regulatory filing.
Asked by Bloomberg to comment, China’s U.S. embassy not only said it was not only unaware of the hacking, it blasted any intimations that its government might have had some knowledge of the wrongdoing.
In an email to Bloomberg, embassy spokesman Gene Shuang said, “Chinese laws prohibit cyber-crimes of all forms and Chinese government has done whatever it can to combat such activities. Making groundless accusations at others is not constructive at all and does not contribute to the solution of the issue.”