CHS to Notify 1 Million in Breach Linked to Software FlawHospital Chain Faults Zero-Day Vulnerability in 3rd-Party File Transfer Software
Community Health Systems will soon begin notifying up to 1 million individuals believed to have been affected by a data breach when attackers exploited a zero-day vulnerability in a third-party vendor's secure managed file transfer software.
The Tennessee-based multistate hospital chain says in a breach report filed Wednesday to the Maine attorney general that in mid-March it will begin notifying patients and "a limited number" of employees and other individuals that their personal information was disclosed to an "unauthorized party" as a result of a Fortra security incident involving its GoAnywhere MFT product.
Compromised information includes individuals' full names, addresses, medical billing and insurance information, certain medical information such as diagnoses and medication, and demographic information such as birthdates and Social Security numbers.
CHS has been working "diligently" to determine an accurate number of individuals affected by the Fortra Incident, both overall and for the state of Maine, the report to the attorney general says.
Earlier, on Feb. 13, CHS filed a report with the U.S. Securities and Exchange Commission about the incident, estimating that about 1 million individuals had been affected (see: CHS: 1 Million Patients Affected by GoAnywhere MFT Hack).
Last month, ransomware group Clop claimed to have exploited the GoAnywhere vulnerability to breach networks used by 130 different organizations (see: Clop Ransomware Group Claims Widespread GoAnywhere MFT Exploits).
An attorney representing CHS in the breach did not immediately respond to Information Security Media Group's request for additional details about the incident, including an updated estimate on the total number of individuals affected and whether Clop had been involved in the healthcare entity's data compromise.
CHS in a breach notice posted on its website says Fortra informed the healthcare entity that it had become aware of the incident the evening of Jan. 30 and had taken the affected systems offline on Jan. 31, stopping the unauthorized party's ability to access the system. CHS says Fortra notified the company of the incident three days later, on Feb. 2.
CHS says the attack compromised "sets of files throughout Fortra's platform" after exploiting "a previously unknown vulnerability to gain access to Fortra's systems, specifically Fortra's GoAnywhere file transfer service platform."
Both CHS and Fortra have been in contact with law enforcement, including the FBI and the U.S. Cybersecurity and Infrastructure Security Agency, the letter says.
The software company issued a security alert about its GoAnywhere MFT software on Feb. 1. Nine days later, CISA included the vulnerability in its catalog of known exploited vulnerabilities.
CISA describes the GoAnywhere MFT flaw as involving a "pre-authentication command injection vulnerability in the License Response Servlet due to deserializing an arbitrary attacker-controlled object." Fortra issued a patch for the issue on Feb. 6 in the release of version 7.1.2.
To protect against similar future incidents, CHS says Fortra informed the healthcare organization that it has "deleted the unauthorized party's accounts, rebuilt the secure file transfer platform with system limitations and restrictions and produced a patch for the software."
CHS says it also has implemented additional security measures, including applying the Fortra patch and taking immediate steps to "harden the security" of the company's use of the GoAnywhere platform.
CHS is offering affected individuals 24 months of free credit and identity monitoring.
Fortra in a statement told ISMG that after becoming aware on Jan. 30 of suspicious activity within certain instances of its GoAnywhere MFT, the company immediately took multiple steps to address the issue.
They included implementing a temporary outage of this service to prevent any further unauthorized activity, notifying customers who may have been affected, and sharing mitigation guidance, including instructions to its on-premises customers about applying a developed patch, Fortra says.
“We are taking this very seriously and continue to help our customers implement mitigation steps to address this issue," the statement says.
Fortra did not immediately respond to ISMG's request for comment on the CHS breach or reports of Clop's claims.