Health Plan, Mental Health Provider Hit by GoAnywhere FlawInsurer Notifying Thousands Affected by Breach of Behavioral Health Provider's Data
Blue Shield of California is notifying more than 63,000 customers that their data was potentially exfiltrated in a compromise involving Fortra's GoAnywhere secure file transfer software and one of the health plan's covered mental health providers for minors.
In a breach disclosure, Blue Shield said 63,341 individuals were affected in a January hacking incident involving Brightline Medical Associates and its subcontractor Fortra.
Palo Alto, California-based Brightline provides virtual behavioral health coaching and therapy for families with children ages 18 months to 17 years. Blue Shield of California is also an investor of the company.
Information affected by the incident includes name, address, birthdate, gender, phone number, email address and plan information.
The breach did not involve access to other types of sensitive data such as government identifiers or financial information, Blue Shield said.
The incident affecting Blue Shield and Brightline joins at least one other major breach so far reported to regulators by a healthcare sector entity linked to the exploitation of a zero-day vulnerability in GoAnywhere.
In February, ransomware group Clop claimed to have exploited the GoAnywhere vulnerability to breach networks used by 130 different organizations. This month, the cybercrime gang took responsibility for over 50 hacks tied to the exploit (see: Clop: GoAnywhere Attacks Have Now Hit 130 Organizations).
Tennessee-based Community Health Systems in recent weeks also reported to federal regulators a hacking incident affecting the protected health information of nearly 1 million individuals involving exploitation of the GoAnywhere vulnerability (see: CHS to Notify 1 Million in Breach Linked to Software Flaw).
The impact on patient privacy could grow larger.
"An additional concern in incidents such as this is the implications of the data leak," said Brett Callow, threat analyst at security firm Emsisoft. "Clop potentially now has a significant amount of phishing bait it can use or sell on. Exactly how much remains to be seen."
Neither Brightline nor Blue Shield immediately responded to Information Security Media Group's requests for additional details, including whether Clop was involved.
Some experts predict many more organizations affected by GoAnywhere compromises will soon surface.
"At this time, it appears that maybe only half the victims of the larger Clop attack have been identified," said Jon Moore, chief risk officer at privacy and security consultancy Clearwater.
"If that is the case, we are likely to see more victims either identified by Clop or who self-report in the coming weeks," he said.
Complex Vendor Risk
Blue Shield of California said Brightline informed it on Feb. 5 that Fortra had suffered a cybersecurity incident between the dates of Jan. 28 and Jan. 31.
"The forensic investigation being conducted by Fortra revealed that an unauthorized individual gained access to Fortra's GoAnywhere Managed File Transfer-as-a-service application and was able to download files that Brightline maintained on that system," Blue Shield said.
The incident involving Blue Shield, Brightline and its subcontractor Fortra is a prime example of the kind of complex third-party security risk challenges faced by healthcare sector entities, Moore said.
Unfortunately, in the case of zero-day vulnerabilities, such as the GoAnywhere vulnerability, "there is not much one can do to limit the risk other than to try to pick vendors who take security seriously and who try to select software products from developers who have strong security practices built into their development life cycle," Moore said.
In the meantime, attacks on vendors that service large or many constituents of the healthcare sector and other sectors will continue to present serious risk, Callow said.
"These attacks can deliver a high ROI" for attackers, he said.