Breach, Ransomware, Incident Response

Tennessee health system stops all operations amid cyberattack recovery

Hospital emergency sign

Murfreesboro Medical Clinic & SurgiCenter was forced offline after a cyberattack was deployed on April 22. In response, the Tennessee provider closed all operations and launched an emergency shutdown of the network to prevent the attack from spreading.

MMC operations were completely shut down for almost two weeks until May 4. The latest update shows that while officials hoped to restore some walk-in services on May 3, the systems weren’t ready to go back online.

At 10 a.m. on May 4, MMC began accepting patients at its Pediatrics and Internal & Family Medicine walk-in clinics for “sick visits.” However, the site is still not accepting regular appointments, and the majority of its approximate 11 locations remain closed.

Patients took to social media to express concern over missed appointments, closures and prescription refills. An MMC spokesperson is promptly responding to those comments. But some are frustrated at response times, as well as long waits when calling into the health system with questions.

MMC is working with law enforcement and an outside firm to investigate the incident and identify the source and scope of the attack to return to normal clinic operations. Officials said: “Our first priority was to contain the incident and protect our patients and employees.”

The team is still working to restore the “systems safely with enhanced security features and controls” and is already working to strengthen its infrastructure to prevent a recurrence. Officials said “the quick detection by its technology experts” limited the impact of the attack.

“Preserving sensitive patient and employee information is of the utmost importance to MMC, but like so many other organizations around the country and despite its best efforts, MMC has found itself as the target of criminals attempting to steal personal or company data,” Joey Peay, MMC CEO, said in a statement.

MMC is working to ensure the “computer infrastructure is secure and free of any harmful software,” he added. “We apologize for the vagueness of our recent communications, but we did not want to do anything that would impede law enforcement’s investigative efforts.”

The recovery team has not yet confirmed whether any specific patient, employee or corporate data was accessed or removed from the network. Patients and employees of MMC are being urged to monitor their personal data for any misuse.

This is the second shutdown within the health sector in the last week, and the fourth incident in a month. A cyberattack forced Bitmarck, an IT vendor for German health insurers, offline after a cyberattack on May 1, while U.S. insurance giant Point 32 Health is facing disruptions from a ransomware incident deployed late last month. Both companies are still working to recover.

A fourth provider, Cornwall Community Hospital in Ontario, faced patient care delays and a loss of access to its patient portal after a cyberattack on April 11.

Brightline, NationsBenefits join list of GoAnywhere hack victims

Pediatric behavioral health provider Brightline is notifying at least 964,300 patients and 60 of its connected vendors that their data was accessed and exfiltrated by threat actors during a hack of its Fortra GoAnywhere MFT software-as-a-service in January.

Clop already claimed to have hacked Brightline as far back as March, when the actors added the company to its dark web site, claiming to have stolen the data tied to at least 63,000 children. Those details were not included in the notice. The breach was reported to the Department of Health and Human Services in nine separate filings. Blue Shield of California, which invested in Brightline, previously issued a similar notice.

The GoAnywhere platform is used for the secure transfer of encrypted files between business partners and maintains detailed access logs for files.

Fortra warned clients of the zero-exploit in its file transfer solution’s admin console in early February and provided a workaround as it worked on a patch. However, cybercriminals quickly released an active exploit that targeted the 1,000 exposed on-prem GoAnywhere MFT instances, or about 130 entities.

Community Health Systems was the first healthcare entity to report falling victim, which affected 1 million patients.

The Brightline notification mirrors these earlier notices: that Fortra “was made aware of suspicious activity within certain instances of its GoAnywhere MFT service” in January. An investigation found a previously unknown vulnerability that allowed an attacker to access certain customer accounts and download files.

Brightline was notified of the vulnerability on Feb. 4 and launched a review, which confirmed the access to its Fortra service. While its network was not hacked, the threat actors were able to acquire “certain files” saved in the platform.

The data varied by patient but could include names, contact information, dates of birth, member identification numbers, dates of plan coverage, and/or employer names. Brightline says Aetna member IDs were not compromised during the hack.

Fortra has since deactivated the hacker’s credentials, turned off the service, and rebuilt Brightline’s version of the platform to remove the vulnerability. Brightline bolstered its own security, as well, which included limiting ongoing access to verified users, removing all data from the service, and reducing data exposure until the shift to an alternative file transfer service.

The Fortra GoAnywhere hack mirrors the massive Accellion File Transfer Application attack reported in early 2021. The hack of a known vulnerability in the platform enabled access to hundreds of client systems and was easily the largest healthcare data breach reported in 2021, with over 3.51 million patients affected.

The GoAnywhere hack has affected companies in a range of sectors, including Nintendo of America, Washington Trust Bank, Boston Children’s Hospital, and a host of others.

The healthcare entity with the largest impact so far, appears to be NationsBenefits Holdings. The supplemental benefits provider reported the incident to HHS as affecting 3.04 million patients, making the GoAnywhere hack the largest healthcare data breach reported so far this year with well over 4 million individuals impacted.

Detected after an alert from the security team on Feb. 7, the hack impacted two NationsBenefits servers. The response team scanned the environment with “multiple security tools and confirmed the threat actors didn’t access any applications or systems beyond the Fortra GoAnywhere MFT environment.”

Further, the team found no evidence that the attackers had moved laterally from the vulnerable servers. The exfiltrated data was tied to patients of multiple insurance companies, including Aetna ACE, Elevance Health, and UAW Retiree Medical Benefits.

Since discovery, NationsBenefits took its GoAnywhere server permanently offline and implemented a new file transfer solution separate from Fortra software.

“NationsBenefits implements a comprehensive, written security and privacy program that includes technical, physical, and administrative safeguards,” officials said in a statement. “Even prior to the zero-day vulnerability becoming known, NationsBenefits’ layered security controls. blocked certain malicious activity, limiting the impact of this incident.”

This story has been updated with an increase in the overall breach tally and with a correction to the timeframe of Brightline's breach notice to patients.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.