Community Health Systems (CHS) Inc. has become the latest U.S. institution to come forward about falling victim to Chinese hackers after admitting in an SEC filing last week that personally identifiable information about millions of patients was stolen over the course of two separate attacks in April and June.

An investigation conducted on behalf of the hospital giant by FireEye Inc. subsidiary Mandiant has concluded that the level of sophistication and modus operandi behind the breaches points to an “Advanced Persistent Threat” group based in China, according to the document. The firm, which rose to prominence in 2013 after directly implicating the People’s Liberation Army in a separate case of cyberespionage, conceded that intellectual proprietary is typically the target in these kinds of attacks but nonetheless stands by its findings.

CHS said that the intruders had gotten away with data belonging to as many 4.5 million patients who have gone through its system in the past five years. The company divulged that the stolen trove contained names, addresses, social security numbers and all manner of other sensitive details but claimed an internal examination “confirmed” no credit card or medical information fell into the hands of the attackers, which should come as some relief to the affected users.

The filing doesn’t disclose much more that, but a blog post from TrustedSec LLC published a day after the breach fills in some of the gaps. The security consultancy cites a “trusted and anonymous source close to the CHS investigation” as saying that the hackers exploited the notorious Heartbleed vulnerability in the widely-used OpenSSL cryptography to compromise a device from Juniper Networks Inc. used in the company’s IT environment. The bug allowed the assailants to successfully lift login credentials for CHS’s virtual private network (VPN) off the appliance, TrustedSec goes on to write, and the rest was cake from there.

The firm points to the incident as the first confirmed breach where Heartbleed was used as the initial attack vector, but ominously adds that “there are sure to be others out there.” If its data is accurate, then we can expect the now supposedly “mostly fixed” Heartbleed to continue making headlines in the coming weeks and months.

photo credit: id-iom via photopin cc