The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Up to 1 Million Community Health Systems’ Patients Affected by GoAnywhere MFT Hack

Posted By on Feb 15, 2023

Franklin, TN-based Community Health Systems has recently confirmed that it has been affected by a security incident at a cybersecurity firm that has seen unauthorized individuals gain access to the protected health information of up to 1 million patients. Community Health Systems is one of the largest health systems in the United States, and operates 79 hospitals and more than 1,000 sites of care in 16 U.S. states. On February 13, 2023, Community Health Systems confirmed in a Securities and Exchange Commission 8-k filing that it was recently notified by one of its cybersecurity vendors – Fortra – about a security incident affecting some of its data.

Community Health Systems said the breach appears to be limited to Fortra’s GoAnywhere MFT platform, its own systems have not been compromised, and the security incident did not have any impact on the care provided to patients. It is too early to tell exactly what information has been exposed, the extent of any data theft, and how many individuals have been affected, but Community Health Systems believes up to 1 million individuals have most likely been affected.

Community Health Systems confirmed that it is covered by a cyber insurance policy that provides some degree of protection against losses due to cyberattacks and it will be offering identity theft protection services to affected individuals. Further information will be released as the investigation progresses, as detailed in this post.

Zero-Day Flaw Exploited in More Than 130 Attacks

Fortra is a cybersecurity company that provides a secure file transfer platform called GoAnywhere MFT. Fortra recently confirmed that a zero-day vulnerability has been identified that was being exploited in the wild. At the time of issuing the security alert, a patch was not available to fix the vulnerability. Fortra notified all customers and provided mitigations to prevent exploitation of the flaw, then released an emergency patch the following day.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The vulnerability – tracked as CVE-2023-0669 – can be exploited remotely on GoAnywhere MFT instances that have their admin consoles exposed to the Internet. Successful exploitation of the flaw will allow a malicious actor to remotely execute code. A proof-of-concept (PoC) exploit for the flaw was publicly released this week. The flaw cannot be exploited if the admin console is only available within a private network or through a VPN, nor if allow-lists have been created to restrict access to trusted IP addresses.

Bleeping Computer has reported that it was contacted by a hacker who claimed to be a member of the Clop ransomware gang who said the vulnerability had been exploited by the group at more than 130 organizations. The exploit allowed them to gain access to the platform and move laterally, and while it would have been possible to deploy ransomware, the decision was made to only exfiltrate data in an extortion-only attack.

Similar tactics were used in December 2020 in a wave of attacks that exploited a zero-day vulnerability in the Accellion File Transfer Appliance (FTA). Approximately 100 companies were affected, had data stolen, and were subject to extortion attempts. Data was subsequently leaked on the Clop data leak site when the ransoms were not paid. The attacks were attributed to a group called FIN11, which has ties to the Clop ransomware group.

While the claims by the Clop ransomware group member have not been verified, Joe Slowik, Threat Intelligence Manager at the cybersecurity firm Huntress, has linked the attacks to the threat actor tracked as TA505, which has previously conducted ransomware attacks using Locky, Philadelphia, Globelmposter, and Clop ransomware variants. Bleeping Computer reports that Shodan scans show there are more than 1,000 GoAnywhere MFT instances exposed to the Internet, but only 136 are vulnerable to the flaw, as they can be accessed via ports 8000 and 8001, which are used by the vulnerable admin console.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist