The Fortra/GoAnywhere breach also affected healthcare entities. Here’s what we know so far, Part 2.
- 24th April 2023
- Posted by: CyberYogi
- Category: Governance, Risk, and Compliance
More than two months after Fortra first began notifying clients that threat actors had exploited a vulnerability in GoAnywhere, many patients whose protected health information was stolen may still have no clue. In Part 1, we noted six entities that have disclosed the breach. Five of them are listed on Clop’s leak site with their data being leaked to pressure them into paying extortion. Their disclosures generally do not include any statement about patient data being leaked on the dark web. In Part 2, we list seven U.S. entities and one Canadian entity that do not appear to have publicly disclosed this incident, even though protected health information may already be leaking on the dark web. HHS was asked to comment on these large third-party file-transfer breaches. Their comments appear at the end of this article. MedMinder MedMinder has not issued any press release or public notification concerning the incident and did not reply to this site’s inquiry of March 11. In a statement to TechCrunch last month, the prescription delivery and management service indicated it was “aware of the allegations” but declined to comment further while the company was investigating. DataBreaches sent Medminder a second inquiry on April 18, but still received no reply. Clop claims to have Medminder files that they describe as “Technical documentation. PDF, png files, xlsx databases. Data files in “godrive” goanywhere`s folder.” Inspection of the limited data Clop has leaked in this first part appeared to be internal data and not protected health information (PHI), but we have yet to see what is in other parts. Homewood Health Homewood Health offers inpatient and outpatient mental health treatment and support services. Numerous entities in Canada contract with them for employee assistance programs. DataBreaches has sent Homewood Health two email inquiries about the Fortra/GoAnywhere incident but has received no reply, despite the fact that their website says, “For any media related inquiries, please get in touch with us. We’ll be happy to answer any questions you may have.” Clop claims to have acquired a lot of personal or protected health information: “Xls, csv files – name, last name, email, date of birth, department of employee. Csv files – reports of client activity on the website, log files of the chatbot. PDF – statistical reports, xls files – lists of buyers, company names and policy numbers, financial reports. PDF – individual cases (short-term loss of operability) – name, last name, address, date of birth, phone numbers, place of work. JPG – photos of employees on documents, photos from different events. Photos of different documents (driving license, vaccination). Presentations.” In this first part of their leak of Homewood’s data, Clop leaked detailed files, including: files that each contain dozens of pages of reports on Teknion employees whose names had been redacted; files that each contain dozens of pages of reports on Conestoga College employees whose names were not redacted; and screencaps of case summary reports from Oncidium. Other screencaps contained some personal information about employees. Allied Benefit Clop has leaked some data from Allied Benefit and claims to have acquired: FTP servers by the names of medical companies. Pdf, Csv files – payments for medicines: name, last name, ID, amount, name of drugs). Reports, databases with people’s names and addresses. Database of medical companies: name, address, phone number, billing address, Tax_ID. Employee databases: name, address, phone, email. PGP encrypted files. Password protected archives. Inspection of the leaked data did reveal folders for .ftp servers for clients. CloudMed CloudMed is a revenue management business associate. Clop claims to have acquired: Customer databases of different hospitals: name, address, SSN, phone number, insurance name, insurance diagnosis name, doctor’s name. Log file, which contains login, hash passwords, name, phone, email, users and what files were put through the site. The limited data that Clop has leaked so far does not appear to contain PHI, but it does document transmissions over the file transfer system. It is not clear how many more parts or data leaks there will be for this entity. Tropical Texas Behavioral Health Tropical Texas Behavioral Health was also added to Clop’s leak site, but without any details other than just a “Coming Soon” message. There is nothing on the mental health and substance use treatment provider about any breach and no submission on HHS’s public breach tool. Clop’s listing doesn’t indicate whether TTBH was part of the Fortra incident. Emails sent to TTBH on April 16 and 19 have received no reply. Multiplan Clop often adds a statement to many victims’ leaks: “The company doesn’t care about its customers, it ignored their security!!! In Multiplan’s case, Clop went much further: Example of company and criminal board interested delay inevitable. This company negotiate with only one purpose, to delay announcement after their quarterly reports. They do not value all of 3TB of their data that soon you have here. Investors should ask big question of this company board. Why you did not tell market of this situation before results? who is criminals and they must held to account for market manipulation. The first part of the data leak for Multiplan was in 32 parts, which may be a reflection of Clop’s frustration with that particular victim. The figure below shows a redacted version of the directory of folders that Clop has already leaked. Each folder was for a different provider or health plan. Clop does not indicate how many more updates there will be for each victim entity. Alivia Health Alivia Health in Puerto Rico has not provided any notification and has not responded to emailed inquiries of March 11 and April 16. Clop claims to have acquired “Pdf, xlsx, png, jpeg files.” The first data leak for Alivia was allegedly files in their GoAnywheredocuments_20230202 directory. None of the files in the small leak could be definitively linked to Alivia or to any patient data, though. We will have to see what future updates include. ITx ITx is another revenue management company. Clop claims to have exfiltrated: CSV, XLSX files […]Read More