Murrstock - stock.adobe.com
Community Health Systems Impacted by Data Breach Tied to GoAnywhere MFT Vulnerability
In an SEC filing, Community Health Systems, one of the country’s largest healthcare providers, disclosed a third-party data breach involving Fortra’s GoAnywhere managed file transfer solution that impacted one million individuals.
In a recent Securities and Exchange Commission (SEC) filing, Community Health Systems (CHS) disclosed a third-party data breach involving Fortra’s GoAnywhere managed file transfer (MFT) solution.
The Franklin, Tennessee-based health system is one of the largest healthcare providers in the US, operating 79 hospitals across 16 states. CHS contracts with Fortra, a cybersecurity firm that offers a secure file transfer software called GoAnywhere, which was recently the subject of a recent vulnerability disclosure.
In the SEC filing, CHS noted that it was recently notified by Fortra of a “security incident that resulted in the unauthorized disclosure of company data.” As a result of the hack, the protected health information (PHI) of approximately one million individuals was exposed.
“Upon receiving notification of the security breach, the Company promptly launched an investigation, including to determine whether any Company information systems were affected, whether there was any impact to ongoing operations, and whether and to what extent PHI or PI had been unlawfully accessed by the attacker,” the filing stated.
“While that investigation is still ongoing, the Company believes that the Fortra breach has not had any impact on any of the Company’s information systems and that there has not been any material interruption of the Company’s business operations, including the delivery of patient care.”
The vulnerability that was exploited (CVE-2023-0669) received a severity score of 7.2 in the National Vulnerability Database (NVD). According to the vulnerability disclosure filing, “GoAnywhere MFT suffers from a pre-authentication command injection vulnerability in the License Response Servlet due to deserializing an arbitrary attacker-controlled object.”
According to a Rapid7, the vulnerability requires administrative console access for successful exploitation, and Fortra’s Web Client interface in itself is not exploitable. Fortra patched the vulnerability in version 7.1.2, which was released on February 7.
“The Company will ensure that appropriate notification is provided to any individuals affected by this attack, as well as to regulatory agencies as required by federal and state law,” CHS explained.
“The Company will also be offering identity theft protection services to individuals affected by this attack.”