Heartbleed at Fault for Community Health Systems Hack?

How irresponsible can a company be about security? If reports hold true, very.

As reported on Monday, Community Health Systems, a large hospital provider in the United States, was hacked by Chinese-based hackers. When reports first surfaced, we found that the attacks had happened in April and June of this year. Two separate attacks.

To quote Gomer Pyle: "Fool me once, shame on you. Fool me twice, shame on me."

Apparently, CHS had either never heard this phrase or just didn't pay attention to it. To experience an attack in April and do nothing is pretty irresponsible, in my humble opinion. The attack in June then exposed 4.5 million patient records, allowing names, Social Security numbers, physical addresses, birthdays and telephone numbers of patients to be stolen from 206 hospitals countrywide, going back 5 years.

CHS only reported the hack on Monday of this week and only according to disclosure laws.

That alone should be enough for customers to question ever crossing the threshold of another CHS-owned hospital door.

But, the story gets better (or, worse, depending on how you look at it).

A new blog post by TrustedSec states that the company obtained information from a trusted and anonymous source related to the CHS investigation and was told – get this – the point of attack was the OpenSSL Heartbleed vulnerability.

Heartbleed, if you remember, was the Open Source vulnerability disclosed in April of this year, which points back to CHS's first attack. The vulnerability was reported to affect two-thirds of all web sites and a multitude of vendors. A massive operation was then put into force to fix web sites and vendor software to protect the public against the OpenSSL bug. For companies that had invested in OpenSSL in a large number of their products, the undertaking took a couple months.

Apparently, CHS didn't get the message about how critical the flaw was or they just ignored it, because the organization was attacked again in June. In its Monday report, it blamed malware and announced that the malware had finally been removed. TrustedSec suggests the cause was much different, and if you read into it you get a sense that CHS was simply negligent.

Was CHS simply trying to save face by blaming malware?

I read many reports yesterday blaming Chinese hackers, and it's true we can't rule out cybercrime as a reason why all those patient records were stolen. But, it's also true that hackers exist and will always exist. With so much at stake (4.5 million trusting customers), why knowingly leave the henhouse door open and give the fox free access to sweet smelling food, particularly when you know he visited just a couple months before?

I'm waiting for a good explanation because this truly stinks of negligence. And, that may be why CHS is blaming the Chinese and malware, because proven negligence falls under state laws of protection and could result in 4.5 million lawsuits.