Heartbleed_CommunityHealth_hack
The hackers used the Heartbleed vulnerability to collect user credentials from memory on a Community Health Juniper device and used them to login via a virtual private network. Illustration/International Business Times

Chinese hackers used the Heartbleed security flaw to steal personal data belonging to 4.5 million patients of Community Health Systems Inc. (NYSE:CYH), the second-largest chain of hospitals in the U.S., a report said Wednesday.

The report follows Community Health's disclosure on Tuesday that the company was the victim of a cyber attack from China, resulting in the theft of patients’ Social Security numbers, names, addresses and other personal data. The latest attack is considered to be the first known instance when the Heartbleed vulnerability has been used to breach a company’s systems, Bloomberg reported.

“We never had any tangible proof of an attack until now,” David Kennedy, founder of TrustedSec LLC, a Cleveland, Ohio-based security consulting company, told Bloomberg. Kennedy, who first reported that Heartbleed was used to attack Community Health, said he obtained the details of the hack from “a trusted and anonymous source” close to the investigation.

According to Kennedy, the hackers used the Heartbleed vulnerability to collect user credentials from the memory of a hospital device manufactured by Juniper Networks (NYSE:JNPR) and used them to log in through a virtual private network, or VPN. The attackers then extended their access into the company’s network until an estimated 4.5 million patient records were stolen from a database.

“There are sure to be others out there, however this is the first known of its kind,” a post on the TrustedSec website said.

The Heartbleed flaw, which was publicly disclosed on April 7, allows hackers to steal secret keys that are used to encrypt user names, passwords and other digital data. Following the bug's discovery, many companies and security researchers were forced to build fresh safeguards to protect their computer networks.

Investigators are trying to determine if the Community Health hack was backed by the Chinese government, however, the Chinese embassy in Washington said it was unaware of the incident.

“Chinese laws prohibit cyber crimes of all forms and Chinese government has done whatever it can to combat such activities,” Bloomberg quoted Geng Shuang, an embassy spokesman, as saying. “Making groundless accusations at others is not constructive at all and does not contribute to the solution of the issue.”