The theft of data from 4.5 million patients last week sent shockwaves through the health industry. It’s proof that health organizations can be the target of the same kinds of large-scale data thefts that have plagued other industries.

Information is now coming out about the source of the attack — and it appears to be a Chinese hacker group.

Community Health Systems (CHS) retained cybersecurity company FireEye and its Mandiant division in June to investigate a suspected data theft. And they have now learned quite a lot about the group that pillaged the health care provider’s databases.

Specifically, FireEye has named the perpetrator: a Chinese group called “APT 18,” or Advanced Persistent Threat group #18.

CHS told VentureBeat that the attackers didn’t steal any clinical information from its systems. The breach netted Social Security numbers, phone numbers, and other demographic data. But FireEye spokesman Kyrksen Storer said he could not confirm that clinical data was safe. He said FireEye is still working for CHS, so the full investigation into the theft is probably not complete.

But while FireEye is certain that APT 18 is behind the attack, it’s not yet clear who is behind APT 18. Storer would not confirm that APT 18 is associated with the Chinese government, which has in the past been widely suspected of sponsoring cyberattacks to steal U.S. state secrets and the intellectual property of hundreds of U.S. corporations. He pointed out that an earlier Chinese hacker group called “APT 1” was linked by the FBI to a Chinese military division.

FireEye, however, believes that the Chinese government definitely has a motive to steal data from U.S. health companies.

Stealing cancer data

The CHS event shows some scary motives exist for people and groups to steal health data. And some in the security field believe that many health providers simply don’t have enough protection to deflect attacks.

FireEye says it’s seen numerous security events in the health care, pharmaceuticals, and life sciences industries in the past six months. In a blog post Thursday, FireEye researcher Jen Weedon writes that the Chinese government has a clear motive to steal health data from U.S. companies.

The first motive is basic — a desire to gain access to medical data that might help treat cancer.

Cancer is on the rise in China, Weedon points out. The Guardian reported in July that cancer rates in China have risen by 80 percent in the past 30 years and is now the No. 1 cause of death in a nation with nearly 1.36 billion people. So the government may have a keen interest in accessing the more advanced cancer research being conducted by U.S. pharmaceutical companies.

During one week late last year, FireEye says it saw a China-based group target three different companies that provide oncology treatments and services.

And clinical trials for a myriad of products often take place at hospitals. This fact could make them a target for attackers looking for clinical information on drugs, medical devices, gene treatments, and more.

Flag ChinaIn the breach this summer, CHS said no clinical data was taken, but some analysts believe the attackers may have been targeting medical data. When they failed to get those, the analysts say, the attackers took whatever else they could access.

Weedon believes that big pharmaceutical companies in particular are at risk because of the research data they own. “Nations that use cyberthreat actors to achieve their objectives often have strategic health care initiatives that are a key indicator of compromises to come,” Weedon wrote. “The pharmaceutical industry falls squarely in the crosshairs: threat actors looking to improve their country’s ability to address domestic health concerns will set their sights on stealing IP related to technologies, processes and expertise.”

FireEye says it received a call from one pharma company after hackers compromised more than 100 of that firm’s systems and installed backdoors to facilitate continued access to the victim’s network. One of the APT groups stole intellectual property and business data, including information on bio cultures, products, cost reports, and other details pertaining to the company’s operations abroad.

A second motive: profit

It’s also possible that the Chinese government would be interested in stealing clinical trials data for the benefit of Chinese drug companies. “Imagine if they were to break into Pfizer. They could get information about months and months of drug testing that costs millions to produce,” said Giovanni Vigna, the cofounder and CTO of the cybersecurity company Lastline.

“They could then pass the data to a Chinese drug company which could replicate the formula — this is where the real golden nuggets are in this type of crime,” Vigna told VentureBeat.

The beneficiary of the stolen data would suddenly be years ahead in its research and development costs. It could bring the drug to market much faster. And because the beneficiary would save millions in R&D, they could likely bring the drug to market at a much lower price point.

What went wrong: Heartbleed

So what went wrong at Community Health Systems? The official story right now is that the attackers exploited the “Heartbleed” bug in a VPN server within the CHS network. APT 18 exploited the liability in the OpenSSL cryptography libraries at a VPN server, a source tells VentureBeat, sending thousands of messages at the server until it was able to gain access.

And here, some security analysts believe, CHS is at fault. The Heartbleed security bug was discovered in April, so CHS had time to take precautions.

“As a security vendor, we were not alone in offering solutions for detecting OpenSSL and Heartbleed issues, so there is an element of ‘there’s no excuse for this,” Tenable Network Security’s Jeffrey Man told VentureBeat in an email.

The terrifying Heartbleed bug's logo.

Above: The terrifying Heartbleed bug’s logo.

Image Credit: Heartbleed.com

Man suspects that the problem at CHS may have been the use of free security tools, and an unwillingness to invest in more advanced protection.

“Mileage varies, of course, but too often companies’ ‘risk assessment’ boils down to playing the law of averages and hoping it doesn’t happen to them,” Man said.

Other security pros doubt that the Heartbleed bug was wholly to blame at CHS.

“The Heartbleed bug alone would never have exposed 4.5 million patients’ data, so it’s important to consider that Heartbleed was only a factor in this breach,” says Dr. Vincent Berk, CEO of network security company FlowTraq.

“The way the Heartbleed bug works is that a hacker will send hundreds of thousands of information requests in the that  the exploited server sends back something of use,” Berk says. “Because of its lack of precision, it’s safe to assume that in the case of Community Health Systems, Heartbleed at most may have allowed for an entry point for the attacker, but it’s not the sole contributing factor to the breach.”

For now, the investigation of the CMS is ongoing, so lots of details about APT 18 and the data breach remain unanswered.

But enough is already known to suggest that health data is being targeted by bad actors, and health companies may be facing a large cash outlay to buy the security technology necessary for keeping health data safe.