Fortra GoAnywhere MFT Vulnerability Impacts Blue Shield of CA

March 30, 2023 - Blue Shield of California notified 63,341 individuals of a healthcare data breach that stemmed from the Fortra GoAnywhere vulnerability. One of Blue Shield’s providers, Brightline Medical Associates, notified Blue Shield in February that its subcontractor, Fortra, had suffered a cybersecurity incident. Brightline offers a virtual mental healthcare platform for children.

“The forensic investigation being conducted by Fortra revealed that an unauthorized individual gained access to Fortra’s GoAnywhere Managed File Transfer-as-a-service (MFTaaS) application and was able to download files that Brightline maintained on that system,” the breach notice explained.

The information involved in the breach may have included names, gender, addresses, dates of birth, Blue Shield subscriber ID numbers, phone numbers, plan names, plan group numbers, and email addresses.

“Fortra immediately deactivated the unauthorized user’s credentials, disabled the vulnerable application, and rebuilt the application and gateway,” the notice continued.

“Additionally, Fortra removed all data we shared with Brightline from the GoAnywhere MFTaaS and notified law enforcement. Blue Shield does not own or operate the impacted systems and we are relying on Fortra for reports of forensic advice.”

This latest breach report shows that the GoAnywhere vulnerability is continuing to have a lasting impact on the healthcare sector. In February, Community Health Systems (CHS) disclosed a breach involving the same vulnerability. CHS said that nearly one million individuals were impacted by the incident.

The Health Sector Cybersecurity Coordination Center (HC3) issued an alert in February to warn the healthcare sector specifically about Clop ransomware’s use of the Fortra vulnerability. Clop claimed to have conducted a mass cyberattack in February against 130 organizations.

The group informed Bleeping Computer that it had stolen protected health information (PHI) and other data and said that it had the ability to encrypt healthcare systems by deploying ransomware payloads, HC3 noted.

“This incident is by no means an isolated one to this industry. Healthcare is particuarly vulnerable to cyberattacks, owing to their high propensity to pay a ransom, the value of patient records, and often inadequate security,” HC3 said at the time.

“In 2022, 24 hospitals and multihospital healthcare systems were attacked, and more than 289 hospitals were potentially impacted by ransomware attacks. Clop’s alleged attack this year only further exacerbates an ever-growing trend to target the healthcare industry, and highlights its vulnerabilities to future cyberattacks.”

To mitigate risk, HC3 urged organizations to patch the GoAnywhere MFT vulnerability where applicable. HC3 also encouraged healthcare organizations to “acknowledge the ubiquitous threat of cyberwar against them” and focus on educating staff and assessing enterprise risk against all potential vulnerabilities.