Sources close to the breach investigation tipped off TrustedSec CEO David Kennedy.
Sources close to the breach investigation tipped off TrustedSec CEO David Kennedy.

The CEO of a security firm believes that the major Community Health Systems (CHS) breach impacting four million patients started with the exploit of a VPN device, which was vulnerable to the notorious Heartbleed bug.

According to David Kennedy, the principal security consultant and CEO at Ohio-based TrustedSec, attackers targeted a VPN concentrator device manufactured by Juniper Networks.

TrustedSec revealed the information in Tuesday blog post, and in a Wednesday follow up interview with, Kennedy confirmed that three sources close to the CHS investigation tipped him off to the initial attack vector.

After leveraging the Heartbleed flaw, attackers were able to obtain VPN credentials stored in memory on the CHS Juniper device, Kennedy explained.

In his interview with, he added that the attack happened soon after word spread of the pervasive Heartbleed bug in early April – which essentially allows attackers to “read protected pieces of memory that could contain sensitive information,” Kennedy said.

In this case, the obtained information led saboteurs to a trove of data housed by Tennessee-based CHS – names, addresses, birth dates, phone numbers and Social Security numbers belonging to more than four million patients.

CHS, which owns, operates and leases 206 hospitals across the country, was reportedly struck with malware during its breach –  a move, which Kennedy couldn't confirm took place, though he did see it as a logical next step for attackers, which made “perfect sense.”

“Once [attackers] had those credentials they were sitting on that network with full access,” Kennedy said.

While Kennedy didn't give specifics as to the date of the breach, he did say that attackers compromised the vulnerable device “shortly after the Juniper patch was out,” and that immediate implementation of the fix could have thwarted the breach.

Less than two weeks after the Heartbleed vulnerability was publicly disclosed in April, security firm Mandiant revealed that it was investigating an incident where an attacker “leveraged the Heartbleed vulnerability against a VPN appliance and hijacked multiple active user sessions.”

In the blog post, the company detailed an attack scenario which sounds similar to Kennedy's description of the Community Health incident.