Attackers may have used a virtual private network to break in.
Hackers behind the attack on US medical group Community Health Systems (CHS) exploited the infamous Heartbleed OpenSSL bug, according to security firm TrustedSec.
A source close to the investigation told the company that the attackers took credentials from memory on a Juniper Networks device before logging into the firm’s systems through a virtual private network (VPN) to steal data.
David Kennedy, chief executive of TrustedSec, said: "This is the first confirmed breach of its kind where the Heartbleed bug is the known initial attack vector that was used.
"There are sure to be others out there, however this is the first known of its kind. "
Heartbleed was a zero-day flaw in the security layer that allowed attackers to eavesdrop on conversations through a bug in the "heartbeat" process by which software can communicate with other programmes.
Its discovery in April affected companies such as Google, Instagram and Yahoo, with many of the victims later donating to the Linux Foundation in a bid to improve the future security of the software.
"What we can learn here is that when something as large as Heartbleed occurs we need to focus on addressing the security concerns immediately and without delay," Kennedy added.
4.5 million patients were affected by the attack against CHS, which compromised five years’ worth of personal information including names, birthdates and social security numbers, according to the firm.
However some have speculated that the actual goal was intellectual property, given that the perpetrators are believed to be an advanced persistent threat (APT) group from China.