For a lawsuit to be a possibility, it must be demonstrated that CHS was negligent in any way. A simple vulnerability scan would have demonstrated that the appliance was vulnerable, but CHS didn’t conduct that scan. Now we’re left with the question: Is that enough to prove CHS negligent?
From a security perspective, what exactly happened to expose all this information? What did CHS fail to do to protect the information?
It doesn’t surprise that there are still SSL servers that haven’t been updated after Heartbleed was discovered back in April. What is surprising about this case, and perhaps most troubling, is the fact that 4.5 million records left Community Health Systems’ network completely unnoticed.
The Heartbleed bug alone would never have exposed 4.5 million patients’ data, so it’s important to consider that Heartbleed was only a factor in this breach. The way the Heartbleed bug works is that a hacker will send hundreds of thousands of information requests in the hopes that the exploited server sends back something of use. Because of it’s lack of precision, it’s safe to assume that in the case of Community Health Systems, Heartbleed at most may have allowed for an entry point for the attacker, but it’s not the sole contributing factor to the breach.
What could the attackers do with the information to hurt consumers? What would they have been able to do with the clinical information, had they been able to grab it?
Clinical information is not by itself valuable. The information that will be of most use to attackers is the credentials, like social security numbers, date of birth, name and addresses. This allows attackers to sell the information, sometimes for as much as $18 per full credential, which means financial fraud and credit card fraud is a distinct possibility.
Typically an insurance company might be interested in this type of information, but they have their own ways of obtaining statistics already. I suspect that the attackers are more interested in patients’ personal information, which is more valuable as it is more complete. Medical records tend to be very complete sources of information about people, as it often also includes information on place of birth, siblings, descendants, etc. The more complete the personal information, the higher the value of those credentials on the black market.