NationsBenefits Holdings Confirms 3 Million Record Data Breach
NationsBenefits Holdings, LLC, a provider of supplemental benefits, flex cards, and member engagement solutions to health plans and managed care organizations, has confirmed that it has been affected by a security breach involving Fortra’s GoAnywhere MFT file transfer solution. The hackers behind the attack – the Clop ransomware group – gained access to NationsBenefits data on January 30, 2023, and exfiltrated that information from the GoAnywhere MFT solution. A ransom demand was issued, payment of which was required to prevent the publication of the stolen data. NationsBenefits was on of 130 organizations to have data stolen in the attacks.
The Clop group exploited a previously unknown (zero-day) vulnerability in the GoAnywhere MFT solution, which allowed them to access and steal data from vulnerable on-premises MFT servers. NationsBenefits Holdings said the Clop group was only able to access two MFT servers; however, a review of the files on those servers revealed they contained the protected health information of 3,037,303 health plan members, including, but not limited to, Aetna ACE, Elevance Health Flexible Benefit Plan, and UAW Retiree Medical Benefits Trust. The compromised information included: first and last name, address, phone number, date of birth, gender, health plan subscriber ID number, Social Security number, and/or Medicare number.
Other healthcare organizations known to have been affected include Community Health Systems (1 million individuals) and Brightline (at least 964,300 individuals); however, NationsBenefits is currently the worst affected healthcare entity. Overall, more than 4 million individuals had their protected health information stolen in these attacks. NationsBenefits said it learned about the security breach when its security monitoring team received an alert from one of its MFT servers at 16:02 on February 7, 2023, indicating unauthorized access. Fortra was contacted and asked to assist with the investigation, with the initial review confirming that the MFT server had been accessed and data had been stolen. The subsequent internal investigation confirmed that the threat actor did not move laterally to other NationsBenefits systems or applications.
NationsBenefits confirmed that prior to the attack layered security controls were already in place, but said security measures have since been strengthened. NationsBenefits has taken its MFT servers permanently offline and has transitioned to an alternative file transfer solution that does not rely on Fortra software. Notification letters started to be mailed to affected individuals on April 13, 2023. Complimentary credit monitoring services have been offered for 24 months.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy