Sometimes our first report of a data breach comes in an 8-K filing to the Securities and Exchange Commission. Such is the case with a breach affecting Community Health Systems, Inc. in Tennessee.
In its 8-k filing of February 13, CHS discloses that they were
recently notified by Fortra, LLC, a third party vendor of the Company, that Fortra had experienced a security incident that resulted in the unauthorized disclosure of Company data. Fortra is a cybersecurity firm that contracts with Company affiliates to provide a secure file transfer software called GoAnywhere. As a result of the security breach experienced by Fortra, Protected Health Information (“PHI”) (as defined by the Health Insurance Portability and Accountability Act (“HIPAA”)) and “Personal Information” (“PI”) of certain patients of the Company’s affiliates were exposed by Fortra’s attacker.
CHS reports that the attack did not impact the delivery of patient care.
Bleeping Computer reported Clop threat actors had contacted them and claimed to have breached 130 organizations using a GoAnywhere zero-day. Unlike earlier attacks, Clop stated that they did not encrypt files and only exfiltrated files.
In its 8-K form, CHS estimates that 1 million patients were affected.
Their report is not on HHS’s public breach tool at this time.