The Fortra/GoAnywhere breach also affected healthcare entities. Here’s what we know so far.
- 24th April 2023
- Posted by: CyberYogi
- Category: Governance, Risk, and Compliance
More than two months after Fortra first began notifying clients that threat actors had exploited a vulnerability in GoAnywhere, many patients whose protected health information was stolen may still have no clue. In Part 1, we note entities that have already disclosed the breach. In Part 2, we will note those entities that do not appear to have disclosed the breach even though protected health information may already be leaking on the dark web. Much of what we know about which medical entities have been affected by Clop’s attack comes from Clop itself. The threat actors started listing Fortra clients and samples of stolen data on their leak site to pressure Fortra clients to pay them to delete data and not leak more. DataBreaches noted about a dozen North American entities that either definitely had or likely had protected health information acquired by Clop. In this post, we will note those Fortra clients that have already issued notifications or disclosures concerning protected health information. In a second post, we will note entities that have not issued any public disclosures about the incident. DataBreaches has also sent inquiries to Fortra as to whether it would be making notifications to HHS and/or to patients for covered entities whose patient data was stolen. Rachel Woodward, Fortra’s Public & Analyst Relations Manager, answered, “The blog serves as our official statement on the incident, and we don’t have any additional details to share.” There is nothing in their blog responsive to the question and there is nothing currently on HHS’s public breach tool that was filed by Fortra. Given that context, let’s note the entities that have disclosed: Community Health Systems Community Health Systems appeared to be the first to publicly disclose. Having been notified of the incident on February 2, by February 13, they had filed Form 8-K with the SEC. On March 16, Community Health Systems Professional Services Corporations (CHSPSC), LLC notified HHS that the incident impacted 962,884 of their patients. Community Health’s website notice indicated that they were providing notification on behalf of 101 entities listed in an FAQ on their site. Of note, neither “Community Health Systems,” “CHS,” nor “CHSPCS” appear on Clop’s leak site. Does their absence from the leak site indicate that they paid Clop any ransom, or does it indicate that negotiations are taking place? Or is it just the case that Clop has not yet tried to extort them? Or how about “none of the above?” There is nothing in CHS’s disclosure that suggests that there has been any ransom or payment made. DataBreaches reached out to CHS to ask them whether Clop ever tried to directly extort them, and if so, how they responded. No reply was received. HelloBrightline Brightline, a startup pediatric behavioral health provider, issued notifications on behalf of some clients. DataBreaches found reports to: the Maine Attorney General’s Office on behalf of Coach USA employees serviced by the Aetna health plan. That report indicated that 27,742 plan members had been affected. the Maine Attorney General’s Office on behalf of Blue Shield of California. That report indicated that 63,341 members’ information shared with Brightline had been involved. the California Attorney General’s Office, with a copy of their notice to Samsung Semiconductor employees/dependents. That report did not indicate the number affected. On its website, Brightline identifies 52 other covered entities it is providing notice for. Unlike Community Health Systems, which does not appear on Clop’s leak site, HelloBrightline does appear on Clop’s site. The threat actors have posted some screencaps and data, and claim to have acquired: CSV databases with personal data of people: name, date of birth, address, gender, mail, phone. That files are divided into folders of client companies Clop does not leak all victim data at once. Its practice is to leak in multiple parts or “updates.” So far, it has leaked a Brightline folder called “all_clients_read_only” and some screencaps. The screencaps include personally identifiable information (PII) and protected health information (PHI) from Samsung employees and Diaego employees. There are also spreadsheets with insurance eligibility information for different insurers. The total number of Brightline patients affected by the breach has not been disclosed. US Wellness US Wellness issued a notification on behalf of some Blue Cross Blue Shield of Arizona members. The member information involved included their name, address, date of birth, member ID number, where a service originated, and the address of the service location. On March 22, US Wellness filed a report with HHS indicating that 11,459 patients had been affected. Whether that report was for the BCBSAZ members or some other covered entity is unknown to DataBreaches, as is whether or not they will be filing notifications on behalf of other covered entities. A copy of their notification can be found on their website. Clop claims to have acquired: “XLS database of people: name, mail, gender, date of birth, phone number. QuickBooks files, coronavirus tests: name, address, test type. Resumes of employees, medical certificates, photos of employees from different events. Insurance files and certificates for the company.” Data leaked in the first part of Clop’s dump includes personal and protected health information. WellBe Senior Medical On April 10, the home healthcare provider issued a notice that explained that the types of information varied by individual but could have included patient name, address, date of birth, gender, medical diagnosis information, medical diagnosis code, procedure code, health plan ID number, medical record ID number, and the date of service. Clop claims to have acquired: Pdf, txt, xlsx, csv files – Patient data: name, name of insurance company, diagnosis, address, phone, client id, doctor’s name. Financial reports, results of pulse measurements. One of the screencaps contained PHI while the others contained internal documents and provider information. The first part also included a folder of .mp3 recordings where representatives called patients to offer in-home services. In the process, one hears the patient’s name, address, insurance information, details of their diagnoses and need for care, etc. NationsBenefits NationsBenefits also issued notifications. A copy of […]Read More