The hackers who stole 4.5 million patient records from an American hospital network might have exploited the infamous Heartbleed bug to carry out the hack — the first time the bug has been reported to be at the center of a high-profile breach.

The attackers, who are suspected to be Chinese hackers, took advantage of a device that had not been patched to fix the Heartbleed bug to steal user credentials. They later used the login information to get into the network of Community Health Systems (CHS), where they siphoned off patients’ information such as names, addresses, birth dates, telephone numbers and social security numbers, according to Dave Kennedy, the CEO of security company TrustedSec.

“This is the first confirmed breach of its kind where the heartbleed bug is the known initial attack vector,” Kennedy wrote in a blog post, citing information obtained from “a trusted and anonymous source close to the CHS investigation.”

@pmelson @SteveD3 don’t know the group just know it was heartbleed as initial entry point

— Dave Kennedy (ReL1K) (@HackingDave) August 20, 2014

Neither Kennedy nor TrustedSec are involved in the breach investigation, but Bloomberg later confirmed the report, although also citing an anonymous source “involved in the investigation.”

Kennedy explained in the post that the hackers’ entry point was a CHS Juniper device that had not been immediately patched after the Heartbleed bug was disclosed in April. The hackers were able to get some user credentials from the device’s memory and use them to enter into CHS’s systems through a Virtual Private Network, a tool that allows for remote secure connections.

So CHS was owned with Heartbleed on a Juniper Firewall according to @HackingDave

— Chris Campbell (@obscuresec) August 19, 2014

At this point, neither CHS nor FireEye, the security firm hired to investigate the breach, have released any details about how it has occurred. But SecurityWeek, a trade publication that focuses on cybersecurity, noted that a previously disclosed attack that leveraged Heartbleed seems to match the one that was publicized this week by CHS.

“The facts support claims that Heartbleed could have been what enabled attackers to run off with the personal information on 4.5 million individuals,” wrote SecurityWeek‘s Mike Lennon.

Heartbleed is a vulnerability in the OpenSSL library, an open-source protocol widely used online to secure the connection between a user and a website or a remote server. Researches revealed the bug in April, and companies and websites relying on OpenSSL scrambled to fix the bug in the following days, but not everyone patched its systems quickly, leaving the door open for a potential attack. In fact, two months after the discovery was made public, 300,000 websites reportedly remained vulnerable.

BONUS: What Is the Heartbleed Bug?

Have something to add to this story? Share it in the comments.