Up to 1 Million Community Health Systems’ Patients Affected by GoAnywhere MFT Hack

By | February 15, 2023

Franklin, TN-based Community Health Systems has recently confirmed that it has been affected by a security incident at a cybersecurity firm that has seen unauthorized individuals gain access to the protected health information of up to 1 million patients. Community Health Systems is one of the largest health systems in the United States, and operates 79 hospitals and more than 1,000 sites of care in 16 U.S. states. On February 13, 2023, Community Health Systems confirmed in a Securities and Exchange Commission 8-k filing that it was recently notified by one of its cybersecurity vendors – Fortra – about a security incident affecting some of its data.

Community Health Systems said the breach appears to be limited to Fortra’s GoAnywhere MFT platform, its own systems have not been compromised, and the security incident did not have any impact on the care provided to patients. It is too early to tell exactly what information has been exposed, the extent of any data theft, and how many individuals have been affected, but Community Health Systems believes up to 1 million individuals have most likely been affected.

Community Health Systems confirmed that it is covered by a cyber insurance policy that provides some degree of protection against losses due to cyberattacks and it will be offering identity theft protection services to affected individuals. Further information will be released as the investigation progresses.

Zero-Day Flaw Exploited in More Than 130 Attacks

Fortra is a cybersecurity company that provides a secure file transfer platform called GoAnywhere MFT. Fortra recently confirmed that a zero-day vulnerability has been identified that was being exploited in the wild. At the time of issuing the security alert, a patch was not available to fix the vulnerability. Fortra notified all customers and provided mitigations to prevent exploitation of the flaw, then released an emergency patch the following day.

The vulnerability – tracked as CVE-2023-0669 – can be exploited remotely on GoAnywhere MFT instances that have their admin consoles exposed to the Internet. Successful exploitation of the flaw will allow a malicious actor to remotely execute code. A proof-of-concept (PoC) exploit for the flaw was publicly released this week. The flaw cannot be exploited if the admin console is only available within a private network or through a VPN, nor if allow-lists have been created to restrict access to trusted IP addresses.

Bleeping Computer has reported that it was contacted by a hacker who claimed to be a member of the Clop ransomware gang who said the vulnerability had been exploited by the group at more than 130 organizations. The exploit allowed them to gain access to the platform and move laterally, and while it would have been possible to deploy ransomware, the decision was made to only exfiltrate data in an extortion-only attack.

Similar tactics were used in December 2020 in a wave of attacks that exploited a zero-day vulnerability in the Accellion File Transfer Appliance (FTA). Approximately 100 companies were affected, had data stolen, and were subject to extortion attempts. Data was subsequently leaked on the Clop data leak site when the ransoms were not paid. The attacks were attributed to a group called FIN11, which has ties to the Clop ransomware group.

While the claims by the Clop ransomware group member have not been verified, Joe Slowik, Threat Intelligence Manager at the cybersecurity firm Huntress, has linked the attacks to the threat actor tracked as TA505, which has previously conducted ransomware attacks using Locky, Philadelphia, Globelmposter, and Clop ransomware variants. Bleeping Computer reports that Shodan scans show there are more than 1,000 GoAnywhere MFT instances exposed to the Internet, but only 136 are vulnerable to the flaw, as they can be accessed via ports 8000 and 8001, which are used by the vulnerable admin console.

The post Up to 1 Million Community Health Systems’ Patients Affected by GoAnywhere MFT Hack appeared first on HIPAA Journal.