Community Health Systems, which runs 206 hospitals in 29 states, said intruders had bypassed security measures to steal personal data of patients, including names, social security numbers and addresses.
But the company emphasised that no medical records or credit card records are believed to have been accessed.
This is the first time Heartbleed has been linked to a cyber attack of this size and type, prompting renewed calls for businesses to check open-source components of the software they use.
Heartbleed was exposed when Google and Finnish security firm Codenomicon reported vulnerabilities in some versions of OpenSSL.
Read more on Heartbleed
- Canada Revenue agency reports Heartbleed data theft
- Heartbleed denial reveals loophole for NSA spying
- Cisco and Juniper warn of products hit by Heartbleed bug
- The Heartbleed genie is out of the bottle – now what?
- EFF calls for rapid mitigation of Heartbleed internet bug
- OpenSSL vulnerability 'Heartbleed' may have exposed encrypted traffic
- OpenSSL security flaw could affect millions of websites, warn researchers
The open-source cryptographic library is widely used to encrypt sensitive data in operating systems, email, instant messaging apps and other software products.
Security firm Mandiant, owned by FireEye, was called in by Community Health Systems to investigate the breach, and initially linked the attack to a Chinese hacking group.
But another security firm, TrustedSec, has claimed in a blog post that the attack exploited the Heartbleed OpenSSL vulnerability to get a foothold on the hospital group’s network.
The blog post cited an anonymous source close to the breach investigation, and in an interview with Bloomberg, founder David Kennedy said he was told of the connection by three unnamed sources.
He said the hackers took advantage of the fact that the hospital group used products made by networking firm Juniper.
Like many of its competitors, Juniper took several weeks after the Heartbleed bug was discovered to patch all of its affected products.
“The time between 0-day (the day Heartbleed was released) and patch day (when Juniper issued its patch) is the most critical time for an organisation where monitoring and detection become essential elements of its security program,” the TrustedSec blog post said.
Read more about data breaches
- Most cyber attacks use only three methods, Verizon breach report shows
- Target CEO quits after data breach
- Sears confirms data breach investigation amid retailer data breaches
- Orange data breach underlines need for encryption, say experts
- Target data breach: Why UK business needs to pay attention
- Bitly urges users to secure accounts after security breach
- Target’s CIO resigns after massive data breach
According to the security firm, the ability to detect and respond to an attack when it happens is key to enacting incident response and mitigating the threat quickly.
“What we can learn here is that when something as large as Heartbleed occurs (rare) that we need to focus on addressing the security concerns immediately and without delay,” said TrustedSec. “Fixing it as soon as possible or having compensating controls in place days before could have saved this entire breach from occurring in the first place.”
According to Mandiant, the intrusion at Community Health Systems was initiated in April, the same month that news of the Heartbleed bug became public.
Chris Wysopal, co-founder and CTO of application security company Veracode, said technology suppliers need a way to understand quickly where they have built products with open-source components.
“All products should use software composition analysis with an alerting mechanism for rapid response when a new vulnerability is made public in an open-source component,” he said.
Wysopal said linking software component analysis tools with static application security testing systems will enable vulnerable components in previously scanned code to be located instantly.
Since news of Heartbleed became public, several security researchers have warned that the OpenSSL vulnerability persists in hundreds of thousands of servers because of an inconsistent response by suppliers.