Ransomware, Breach, Incident Response

Clop ransomware hack of Fortra GoAnywhere MFT hits 1M CHS patients

Medical instruments in an operating room

The Clop ransomware group’s compromise of a zero-day vulnerability found in the Fortra GoAnywhere MFT has compromised more than 130 organizations. A recent SEC filing shows 1 million patients tied to Community Health Systems in Tennessee were among those impacted.

Earlier this month, Fortra developers warned clients of the remote code execution vulnerability on the file transfer solution’s admin console. The platform enables the secure transfer of encrypted files with business partners and maintains detailed access logs for files. Ben Krebs was first to publicize the vulnerability on Mastodon.

The GoAnywhere alert warned the exploit would require access to the admin console, which “in most cases” would only be accessible from within a private company network, a virtual private network (VPN), or allow-listed IPs. The company provided a workaround as it works on a patch.

However, an active exploit was released for the bug. Estimates show that there are about 1,000 exposed on-prem GoAnywhere MFT instances and about 130 entities have been targeted. CHS is the first healthcare entity to report falling victim.

The SEC filing shows CHS was notified by Fortra that it “experienced a security incident” that caused “the unauthorized disclosure of company data.” The exposed data included protected health information and personal data of patients tied to CHS and its affiliates.

The investigation into the scope of the incident, including whether any CHS systems were affected and possible operational impacts, is ongoing. But CHS “believes that the Fortra breach has not had any impact on any … information systems [nor] ... any material interruption” of CHS business operations, including care delivery.

CHS is still determining the extent of the data access, but estimates 1 million patients were affected. Patients will be provided identity theft protection services. The health system “is continuing to measure the impact, including certain remediation expenses and other potential liabilities.”

Tallahassee Memorial making progress, but still diverting some EMS patients

Tallahassee Memorial HealthCare is continuing to operate under electronic health record procedures and is still diverting some EMS patients, 12 days after a cyber incident.

However, the Florida hospital’s “tireless efforts” have enabled the IT and forensic teams to bring its TMH Physician Partners’ practices and Urgent Care Centers back online. Hospital staff “are in the process of transitioning from paper documentation back to electronic medical records within the main hospital.”

“While these events represent a major step toward restoration, it is important to keep in mind that it will take some time to return to standard operations,” officials said in a statement. As such, care diversion remains in place for some emergency patients to ensure care quality.

The hospital “expects to encounter hurdles” and possible delays as it works through its restoration plan, which includes restoring the impacted systems as quickly and securely as possible. The restoration plan is designed to balance security and efficiency and includes testing each system before returning it back online.

As previously reported, TMH began diverting all emergency medical services over an “IT security issue” after it brought its systems offline in response to an incident launched late on Feb. 2.  TMH canceled “all non-emergency surgical and outpatient procedures” and was only accepting “Level 1” traumas in its immediate service area right after the attack.

The hospital has been following previously planned downtime procedures, but care has been delayed. TMH rescheduled all non-emergency patient appointments during the outage, as well.

Unlike the previous and ongoing outages at CentraState Medical Center and Atlantic General Hospital in Maryland, respectively, TMH has been upfront with each delay and recovery progress in an effort of transparency that aims to support patient safety.

90 Degree Benefits informing 175K patients of February 2022 hack

90 Degree Benefits Wisconsin, formerly EBSO, recently informed 175,000 patients that their data was accessed during a “data security incident” that occurred one year ago on Feb. 27, 2022.

Under The Health Insurance Portability and Accountability Act, covered entities and relevant business associates are required to report all breaches to protected health information within 60 days of discovery — and without undue delay. The notice gives no explanation as to why patients are only now learning their data was accessed nearly one year ago.

Last year, 90 Degree launched an investigation after discovering the “incident” and determined “systems and files containing personal information were accessed without authorization.” The team could not “conclude whether information was actually viewed or accessed.” The notice does not shed light on just what data was compromised.

The entity informed the FBI of the incident, and there investigation is still ongoing.

Mscripts’ cloud storage hack impacts Banner Health, others

Mobile pharmacy solutions vendor, mscripts, recently informed at least 66,732 patients, as well as several of its clients, that a hack of its cloud storage asset enabled the access of patient health data. The vendor issued a notice on behalf of Banner Health, Brookshire Brothers, Costco Wholesale, Giant Eagle, and Meijer Pharmacy.

The notice does not explain when the misconfigured files or unauthorized access was first discovered, just that “certain files in cloud storage were accessible from the internet without the need for authentication for six years between Sept. 30, 2016 and Nov., 2022.” The delayed notice appears to be caused by “a thorough review” of the image files.

Upon discovery, mscripts changed the access settings and launched an investigation with support from an outside firm. They determined the exposed files include prescription order summaries tied to “locker pickups” at various pharmacies, images of prescription bottles, and insurance cards submitted through the mscripts web or mobile app.

The data included dates of birth, contact details, prescription numbers, medication names, originating pharmacy information, insurance details, member IDs, group numbers, and/or dependents names. Social Security number weren’t included.

“Each file would have only been accessible from the date it was submitted until Nov. 18, 2022,” according to the notice.

Rise Interactive reports data theft impacting 54,509 patients

A “data security incident” deployed against Rise Interactive Media & Analytics in November, led to the access or theft of personal and health data tied to Edgepark Medical Supplies. More than 54,000 patients were affected.

The Rise notice does not provide much detail, just that the incident “impacted part of its systems.” The investigation into the data impact is ongoing, but Rise confirmed “certain files” were potentially accessed or acquired as a result. In December, Edgepark data was found to be included in the affected information.

The compromised data included patient names, contact information, provider details, diagnoses, expected delivery dates, and health insurance information. No financial data, SSNs, or payment card information was impacted by the incident.

Brooks Rehab latest to report breach via use of Pixel tracking tool

Brooks Rehabilitation is notifying 1,554 patients that their data was shared with third-party vendors, due to its use of Pixel tracking tech installed on its websites.

The Florida specialist implemented Pixels to enhance its website and user experience. The notice shows Brooks collected user information using the pixels and cookies to measure online activity. In December, it determined the “tracking technology vendors that provide services to Brooks had the capability to view and or access individually identifiable health information.” 

Namely, the vendors were able to access user-provided contact information or feedback through Brooks’ websites, as well as some health information. The exposed data included names, contact information, email addresses, IPs, information entered into the comment section, and the type of sites visited on the Brooks website.

Brooks was “unable to determine what if any of the information was actually collected and used.” As such, it’s notifying all individuals who logged into a Brooks website. The specialist has since disabled the tracking technology and vendor’s ability to access it.

“Brooks has no plans to use it in the future without confirmation that the tracking technology no longer has the capacity to transmit potentially identifiable information,” officials said in a statement. The provider is reviewing its policies and procedures for gathering user data and “will make changes as needed to enhance privacy.”

Brooks joins Novant Health, WakeMed, LCMC Health Systems, Willis-Knighton Health System, and a host of other provider organizations to rely on Pixel tech for website analytics, inadvertently sharing user data with Meta, Google, and other tech companies. Most of these providers, Meta, and Google have been hit with lawsuits blasting the alleged privacy violations.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.