Community Health Systems (CHS) says it was impacted by a recent wave of attacks targeting a zero-day vulnerability in Fortra’s GoAnywhere MFT secure file transfer platform.
The healthcare provider giant said on Monday that Fortra issued an alert saying that it had “experienced a security incident” leading to some CHS data being compromised.
A subsequent investigation revealed that the resulting data breach affected the personal and health information of up to 1 million patients.
“While that investigation is still ongoing, the Company believes that the Fortra breach has not had any impact on any of the Company’s information systems and that there has not been any material interruption of the Company’s business operations, including the delivery of patient care,” CHS said an 8-K filing with the SEC first spotted by DataBreaches.net.
“With regard to the PHI and PI compromised by the Fortra breach, the Company currently estimates that approximately one million individuals may have been affected by this attack.”
It also added that it would offer identity theft protection services and notify all affected individuals whose information was exposed in the breach.
CHS is a leading healthcare provider that operates 79 affiliated acute-care hospitals and over 1,000 other sites of care across the United States.
Clop gang claims it breached 130 Fortra clients
The Clop ransomware gang claims to be behind these attacks and told BleepingComputer that they’ve breached and stolen data from over 130 organizations.
Clop also said they had allegedly stolen the data over ten days after breaching GoAnywhere MFT servers vulnerable to exploits targeting the CVE-2023-0669 RCE bug.
The gang didn’t provide proof or additional details regarding their claims when BleepingComputer asked when the attacks began, if they had already started extorting victims, and what ransoms they were asking for.
BleepingComputer could not independently confirm any of Clop’s claims, and Fortra is yet to reply to several emails asking for more info regarding CVE-2023-0669 exploitation and the ransomware group’s allegations.
Clop is known for using a similar tactic in December 2020, when they discovered and exploited a zero-day bug in Accellion’s legacy File Transfer Appliance (FTA) to steal large amounts of data from roughly 100 companies worldwide.
At the time, the victims received emails demanding $10 million in ransoms to avoid having their data published on the cybercrime group’s data leak site.
Organizations that had their Accellion servers hacked include, among others, energy giant Shell, cybersecurity firm Qualys, supermarket giant Kroger, and multiple universities worldwide such as Stanford Medicine, University of Colorado, University of Miami, University of California, and the University of Maryland Baltimore (UMB).
If Clop follows a similar extortion strategy, we will likely see a rapid release of data for non-paying victims on the threat actor’s data leak site in the near future.
Federal agencies order to patch until March 3rd
GoAnywhere MFT’s developer Fortra (formerly known as HelpSystems) disclosed to its customers last week that a new vulnerability (CVE-2023-0669) was being exploited as a zero-day in the wild.
Fortra also revealed, after releasing patches, that some of its MFTaaS hosted instances were also breached in the attacks.