Governance & Risk Management , Healthcare , HIPAA/HITECH
Fortra GoAnyWhere-Related Health Data Breach Tally Climbs
Nearly a Dozen More Breaches Affecting 4.3 Million Recently ReportedThe tally of individuals whose sensitive information was compromised by the exploitation of a zero-day vulnerability in Fortra's GoAnyWhere secure file transfer software is growing by millions as more entities report heath data breaches to regulators.
See Also: Frost Radar™ on Healthcare IoT Security in the United States
Companies have acknowledged to federal regulators in recent weeks a dozen breaches involving the Fortra vulnerability, and the count of affected individuals exceeds 4.3 million.
Nine of those breaches - collectively affecting nearly 1 million individuals - were reported separately to the Department of Health and Human Services on April 7 by Brightline, a Palo Alto, California provider of virtual behavioral health coaching and therapy for families and children.
Those disclosures come weeks after insurer Blue Shield of California already reported to regulators a breach affecting more than 63,000 individuals who had accessed Brightline services through it (see: Health Plan, Mental Health Provider Hit by GoAnyWhere Flaw).
The vulnerability in GoAnywhere MFT is a pre-authentication remote code execution flaw in which attackers can exploit the flaw and remotely execute code of their choosing without having to first authenticate in the administrative console.
For the attack to succeed, the administrative console must be internet-exposed. The first known attacks to exploit the flaw began Jan. 25. On Feb. 1, Fortra issued a security alert and mitigation instructions. On Feb. 7, it released version 7.1.2 of GoAnywhere MFT, which patches the flaw.
The Cybersecurity and Infrastructure Security Agency and other federal agencies have urged GoAnywhere MFT users to immediately patch their software.
Ransomware group Clop claimed in February to have exploited the GoAnywhere vulnerability to breach networks used by 130 different organizations. The cybercrime gang took responsibility for over 50 hacks tied to the exploit (see: Clop: GoAnywhere Attacks Have Now Hit 130 Organizations).
At least two other health benefits corporations have also reported large GoAnyWhere incidents to HHS over the last few weeks.
That includes a breach affecting more than 3 million individuals reported by Florida third-party benefits administrator NationsBenefits Holding.
Santa Clara Family Health Plan separately reported a hacking incident affecting 277,000 individuals that also involved its third-party benefits administrator NationsBenefits and the Fortra compromise.
NationsBenefits said it determined Feb. 13 that certain individuals' personal information had been affected in the compromise.
Health plan member data affected by the incident includes name, demographic information and identifiers such as Social Security number as well as medical device or product purchased and caregivers' names.
"Importantly, not every impacted individual had all of these data elements impacted, or the same combination of data elements impacted," NationsBenefits said.