Community Health Systems to Notify Up to 1 Million Individuals About GoAnywhere Data Breach
In mid-February, Community Health Systems filed a report with the U.S. Security and Exchange Commission (SEC) confirming it had been affected by a security incident involving its secure file transfer software, Fortra’s GoAnywhere MFT. The Clop ransomware gang claimed responsibility for the attack and claimed to have exfiltrated data from around 130 users of the software. As per the group’s modus operandi, ransom demands were issued along with threats to publish the stolen data; however, somewhat atypically, ransomware was not used to encrypt files. In the SEC filing, Community Health Systems explained that the protected health information of up to 1 million individuals was potentially compromised and stated that the investigation into the incident was ongoing.
Community Health Systems has now released further information on the data breach and said it will start sending notification letters to all affected individuals in mid-March. Community Health Systems confirmed that Fortra contracts with CHSPSC, LLC, which is a professional services company that provides services to hospitals and clinics affiliated with Community Health Systems Inc. Fortra notified CHSPSC that a security incident was detected on the evening of January 30, 2023, and took the system offline on January 31, 2023. The investigation confirmed that an unauthorized individual had gained access to the system between January 28, 2023, and January 30, 2023, by exploiting a previously unknown vulnerability – a pre-authentication command injection issue – and compromised a set of files throughout the GoAnywhere platform. CHSPSC was notified about the breach on February 2, 2023, and initiated its own investigation to determine the extent to which patient data had been affected.
Community Health Systems has now confirmed that the personal and protected health information of patients of CHSPSC affiliates has been compromised, along with the personal information of a limited number of employees and other individuals. That information includes full names, addresses, medical billing information, insurance information, medical information such as diagnoses and medications, and demographic information, such as birth dates and Social Security numbers.
Fortra said it terminated access when the breach was detected by taking the platform offline. The GoAnywhere platform has now been rebuilt with additional system limitations and restrictions, and a patch for the exploited vulnerability was released on February 6, 2023. CHSPSC has confirmed that it has implemented further security measures to harden the security of the GoAnywhere platform.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
All affected individuals will be offered complimentary identity restoration and credit monitoring services for 24 months. Community Health Systems has also confirmed that it has been assisting law enforcement, the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) with their investigations.
Update: The incident has been reported to the HHS’ Office for Civil Rights as affecting 962,884 individuals.