The Fortra/GoAnywhere breach also affected healthcare entities. Here’s what we know so far. (3)
More than two months after Fortra first began notifying clients that threat actors had exploited a vulnerability in GoAnywhere, many patients whose protected health information was stolen may still have no clue. In Part 1, we note entities that have already disclosed the breach. In Part 2, we will note those entities that do not appear to have disclosed the breach even though protected health information may already be leaking on the dark web.
Much of what we know about which medical entities have been affected by Clop’s attack comes from Clop itself. The threat actors started listing Fortra clients and samples of stolen data on their leak site to pressure Fortra clients to pay them to delete data and not leak more. DataBreaches noted about a dozen North American entities that either definitely had or likely had protected health information acquired by Clop. In this post, we will note those Fortra clients that have already issued notifications or disclosures concerning protected health information. In a second post, we will note entities that have not issued any public disclosures about the incident.
DataBreaches has also sent inquiries to Fortra as to whether it would be making notifications to HHS and/or to patients for covered entities whose patient data was stolen. Rachel Woodward, Fortra’s Public & Analyst Relations Manager, answered, “The blog serves as our official statement on the incident, and we don’t have any additional details to share.” There is nothing in their blog responsive to the question and there is nothing currently on HHS’s public breach tool that was filed by Fortra.
Given that context, let’s note the entities that have disclosed:
Community Health Systems
Community Health Systems appeared to be the first to publicly disclose. Having been notified of the incident on February 2, by February 13, they had filed Form 8-K with the SEC. On March 16, Community Health Systems Professional Services Corporations (CHSPSC), LLC notified HHS that the incident impacted 962,884 of their patients.
Community Health’s website notice indicated that they were providing notification on behalf of 101 entities listed in an FAQ on their site.
Of note, neither “Community Health Systems,” “CHS,” nor “CHSPCS” appear on Clop’s leak site. Does their absence from the leak site indicate that they paid Clop any ransom, or does it indicate that negotiations are taking place? Or is it just the case that Clop has not yet tried to extort them? Or how about “none of the above?” There is nothing in CHS’s disclosure that suggests that there has been any ransom or payment made.
DataBreaches reached out to CHS to ask them whether Clop ever tried to directly extort them, and if so, how they responded. No reply was received.
Brightline, a startup pediatric behavioral health provider, issued notifications on behalf of some clients. DataBreaches found reports to:
- the Maine Attorney General’s Office on behalf of Coach USA employees serviced by the Aetna health plan. That report indicated that 27,742 plan members had been affected.
- the Maine Attorney General’s Office on behalf of Blue Shield of California. That report indicated that 63,341 members’ information shared with Brightline had been involved.
- the California Attorney General’s Office, with a copy of their notice to Samsung Semiconductor employees/dependents. That report did not indicate the number affected.
On its website, Brightline identifies 52 other covered entities it is providing notice for.
Unlike Community Health Systems, which does not appear on Clop’s leak site, HelloBrightline does appear on Clop’s site. The threat actors have posted some screencaps and data, and claim to have acquired:
CSV databases with personal data of people: name, date of birth, address, gender, mail, phone. That files are divided into folders of client companies
Clop does not leak all victim data at once. Its practice is to leak in multiple parts or “updates.” So far, it has leaked a Brightline folder called “all_clients_read_only\” and some screencaps. The screencaps include personally identifiable information (PII) and protected health information (PHI) from Samsung employees and Diaego employees. There are also spreadsheets with insurance eligibility information for different insurers.
The total number of Brightline patients affected by the breach has not been disclosed.
UPDATE of May 3: See our post about Brightline disclosures to date. The number affected appears to be more than 900,000 already but still possibly growing.
US Wellness issued a notification on behalf of some Blue Cross Blue Shield of Arizona members. The member information involved included their name, address, date of birth, member ID number, where a service originated, and the address of the service location. On March 22, US Wellness filed a report with HHS indicating that 11,459 patients had been affected. Whether that report was for the BCBSAZ members or some other covered entity is unknown to DataBreaches, as is whether or not they will be filing notifications on behalf of other covered entities. A copy of their notification can be found on their website.
Clop claims to have acquired:
“XLS database of people: name, mail, gender, date of birth, phone number. QuickBooks files, coronavirus tests: name, address, test type. Resumes of employees, medical certificates, photos of employees from different events. Insurance files and certificates for the company.”
Data leaked in the first part of Clop’s dump includes personal and protected health information.
WellBe Senior Medical
On April 10, the home healthcare provider issued a notice that explained that the types of information varied by individual but could have included patient name, address, date of birth, gender, medical diagnosis information, medical diagnosis code, procedure code, health plan ID number, medical record ID number, and the date of service.
Clop claims to have acquired:
Pdf, txt, xlsx, csv files – Patient data: name, name of insurance company, diagnosis, address, phone, client id, doctor’s name. Financial reports, results of pulse measurements.
One of the screencaps contained PHI while the others contained internal documents and provider information. The first part also included a folder of .mp3 recordings where representatives called patients to offer in-home services. In the process, one hears the patient’s name, address, insurance information, details of their diagnoses and need for care, etc.
NationsBenefits also issued notifications. A copy of their template was sent to the California Attorney General’s Office. Although we do not have any report from them on the total number affected, they notified the Texas Attorney General’s Office that 118,219 Texans were affected and the New Hampshire Attorney General’s Office that 7,130 New Hampshire residents were affected. Whether all of the residents were patients or in some other relationship is unknown to DataBreaches.
Clop claims to have acquired:
Customer databases: name, address, phone number, date of birth, gender, marital status, insurance company name and address. logs and backups of the production server.
The first part of the data leak was in five parts. Screencaps included in that leak revealed some HealthFirst member data.
NationsBenefits website notification can be found here.
UPDATE of May 3: NationsBenefits reported to HHS that 3,037,303 were affected. It is not clear whether that is for all of their clients or just some.
Kannact provides health coaching to clients’ employees. On April 13, they notified the Maine Attorney General’s Office and also posted a notice on their website. Their notification to Maine indicated that the total number affected was unknown at that point.
According to their notification, the types of information that may have been acquired for individuals included their name, date of birth, address, phone number, Social Security Number, driver’s license number, and protected health information,
including, but not limited to, medical diagnosis, treatment, pharmaceutical records, and Kannact ID.
Clop claims to have acquired the following types of files:
xlsx, txt, csv files with customer data: name, dates of birth, address, email, ssn and phone number
The first parts of the data leak confirm Clop’s claims as they included employee and dependent information such as date of birth, address, full SSN, and other details. Screencaps also provided as proof appear to relate to Magellan Rx management with named individuals.
So far, DataBreaches has only found six covered entities or business associates affected by the Fortra vulnerability that have disclosed the breach to regulators or patients. If you know of any other North American healthcare providers or business associates that have also disclosed the Fortra/GoAnywhere incident, please let us know via Signal +1-516-776-7756 or email to FortraBreach[@]databreaches.net.
In Part 2 of this post, to be published tomorrow, we will look at some North American entities that have not disclosed the incident publicly or responded to inquiries.
As Clop may add other victims to their leak site, this post may be updated.
Update 1: The Santa Clara Family Health Plan report to HHS in March that 276,993 members were affected by a breach was due to the Fortra/GoAnywhere attack. NationsBenefits notified them.
Update 2: See our post about Brightline disclosures to date. The number affected appears to be more than 900,000 already.
Update 3: NationsBenefits reported to HHS that 3,037,303 were affected. It is not clear whether that is for all of their clients or just some.