A cyber-attack that saw hackers steal data on 4.5 million hospital patients is the first known large-scale breach exploiting the ‘Heartbleed’ bug.
Equipment made by Juniper Networks used in the computer systems of hospital group Community Health Systems featured the Heartbleed vulnerability unveiled by researchers in April, which enabled the hackers to gain access to the network.
David Kennedy, chief executive of TrustedSec, told Reuters that multiple sources familiar with the investigation into the attack had confirmed that it was the Heartbleed security flaw that had given the hackers access.
Community Health Systems had said on Monday that the attack had originated in China.
Kennedy, who testified before the US Congress on security flaws in the healthcare.gov website that Americans use to sign up for Obamacare health insurance programs, said the hospital operator uses Juniper's equipment to provide remote access to employees through a virtual private network, or VPN.
The hackers used stolen credentials to log into the network posing as employees, Kennedy said, and once in hacked their way into a database and stole millions of social security numbers and other records.
Community Health Systems, one of the biggest US hospital groups, said previously that the information stolen included patient names, addresses, birth dates, phone numbers and social security numbers of people who were referred or received services from doctors affiliated with the company over the last five years.
Representatives of Community Health Systems could not be reached for comment outside regular US business hours. A Juniper spokeswoman said she had no immediate comment.
A spokesman for FireEye's Mandiant forensics unit, which is leading the investigation into the breach, declined to comment.
Heartbleed is a major bug in OpenSSL encryption software that is widely used to secure websites and technology products including mobile phones, data centre software and telecommunications equipment.
Canada's tax-collection agency said in April that the private information of about 900 people had been compromised after hackers exploited the Heartbleed bug.