Wednesday, October 1, 2014

UPDATE: Community Health Systems (CHS)

A major breach hitting Tennessee-based Community Health Systems (CHS) started with the exploit of a VPN device, which was vulnerable to the Heartbleed bug.

In late August, David Kennedy, principal security consultant and CEO at Ohio-based TrustedSec, cited three sources close to the CHS investigation who tipped him off to the initial attack vector – a VPN concentrator device manufactured by Juniper Networks. After leveraging the OpenSSL flaw, Heartbleed attackers were able to obtain VPN credentials stored in memory on the Juniper device.

The CHS breach reportedly impacted four million patients, whose names, addresses, birthdates, phone numbers and Social Security numbers may have been compromised. Following news of the breach, a lawsuit was filed against CHS accusing the hospital operator of failing to meet security standards to protect patients' personal information.

Type: PHI 
Area: Medical
First Noted: July 2014
Total Records: 4,000,000+
Status: Not Monitoring for Follow Up (Not a client of SLC Security Services LLC)

No comments:

Post a Comment