Community Health Systems reports GoAnywhere hacked

The healthcare company says the protected health information of as many as one million patients was exposed in a wave of zero-day attacks targeting Fortra's MFT platform.
By Andrea Fox
10:54 AM

Photo: Tima Miroshnichenko/Pexels

Community Health Systems filed with the Securities and Exchange Commission that it was notified by a third-party vendor for secure file transfer of an incident that resulted in unauthorized disclosure of its patient data.

WHY IT MATTERS

The GoAnywhere managed file transfer platform first warned about a zero-day remote code injection exploit on February 1, according to the technical bulletin posted by noted security researcher Brian Krebs on Infosec.exchange

"The attack vector of this exploit requires access to the administrative console of the application, which in most cases is accessible only from within a private company network, through [virtual private network] or by allow-listed IP addresses (when running in cloud environments, such as Azure or AWS)," according to the Fortra bulletin Krebs accessed and shared.

Franklin, Tennessee-based CHS is one of the largest publicly-traded hospital systems in the United States. Its portfolio contains 79 acute-care hospitals and more than 1,000 other sites of care, such as physician practices, urgent care centers, imaging, cancer centers and more spread across 16 states, according to its website.

Patient care was not affected, according to CHS.

"The company believes that the Fortra breach has not had any impact on any of the company’s information systems and that there has not been any material interruption of the company’s business operations, including the delivery of patient care," CHS said in the Feb. 13 SEC filing posted on its website.

According to a February 10 report on Bleepingcomputer, the Clop ransomware gang claimed to be behind a wave of 130 attacks where they breached the popular MFT platform and stole data.

"The security flaw, now tracked as CVE-2023-0669, enables attackers to gain remote code execution on unpatched GoAnywhere MFT instances with their administrative console exposed to Internet access," says Bleepingcomputer.

The story alleges that Clop reached out to the publication to claim responsibility for the attacks and say that they stole the data over a 10-day period. Clop also said that they were able to move laterally through the networks, but decided against deploying ransomware payloads. 

CHS was the first to report a data breach in the GoAnywhere attacks, according to the publication's February 14 report. 

THE LARGER TREND

Worms targeting undetected vulnerabilities are now typically coupled with executing ransomware shutdowns in a highly-selective fashion.

This is not the first time, however, that CHS has dealt with exposure of protected health information. 

In 2014, hackers compromised administrative credentials to gain access to CHSPSC, the management company owned by and providing business-associate services to CHS hospitals and physician clinics.

The FBI notified CHSPSC that its health information management system was accessed through its virtual private network. 

From April to August of that year, the cybercriminals tapped into 237 covered entities served by CHSPSC, and exfiltrated the PHI of more than six million people, according to the U.S. Department of Health and Human Services.

In 2020, the healthcare delivery company paid a $2.3 million settlement to the Office for Civil Rights for potential HIPAA violations in a dispute that followed over noncompliance.

Zero-day threats are ever-present. HHS has advised the healthcare sector to patch early, patch often.

The Health Sector Cybersecurity Coordination Center recently warned that Clop ransomware is also sending infected files disguised as medical images in phishing attacks on medical facilities.

ON THE RECORD

"The company may have incurred, and may incur in the future, expenses and losses related to this incident that are not covered by insurance," CHS said in the filing.

In a separate SEC filing on February 15, the private healthcare company reported fourth quarter 2022 net operating revenues totaling $3.142 billion.

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org

Healthcare IT News is a HIMSS Media publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.