Community Health Systems (CHS) said in a February 13 statement that it was affected by the recent spate of attacks by the hacker group Clop. The attacks targeted a zero-day vulnerability in Fortra's GoAnywhere MFT file transfer platform. The investigation revealed that the personal and medical information of almost a million patients was affected as a result of the data breach.
“While this investigation is still ongoing, the company believes that the attacks did not affect any of the company's information systems and that there were no material disruptions to the company's business operations, including patient care. In terms of personal and medical information compromised in the hack, the company estimates that as many as one million people may have been affected by the attack at this time,” CHS said in a statement.
The company also added that it will offer identity theft protection services and notify any affected individuals whose information has been exposed as a result of the hack.
CHS is a leading healthcare provider with 79 affiliated acute care hospitals and over 1,000 other healthcare facilities throughout the United States.
The Clop ransomware gang, although claiming responsibility for the breach, did not provide any evidence or additional details regarding their attacks. However, a Huntress employee discovered links between the GoAnywhere MFT attacks and TA505, a group known to have deployed Clop ransomware in the past. Therefore, it is unlikely that hackers are trying to deceive someone.
If Clop follows its usual strategy of extortion, it is likely that in the near future it is worth waiting for a massive data leak to the dark web of those companies that refused to pay ransom money to attackers.
Fortra, the developer of the GoAnywhere MFT, told its customers in early February that a new zero-day vulnerability identified as CVE-2023-0669 is being actively exploited in the wild (ITW). Fortra released security updates very quickly after a PoC exploit appeared on the network, allowing an unauthorized party to gain access to remote code execution on vulnerable servers. However, not all organizations using the GoAnywhere MFT platform have updated the software to the latest version so far.
CISA added the GoAnywhere MFT vulnerability to its catalog of known exploited vulnerabilities, ordering U.S. federal agencies to secure their systems by March 3rd.