Revenue Cycle Vendor Discloses Breach Tied to Fortra GoAnywhere Hack

June 12, 2023 - Tennessee-based revenue cycle management vendor Intellihartx (ITx) disclosed a data breach to the Maine Attorney General’s Office that impacted 489,830 individuals. The breach stemmed from a February 2023 hack against Fortra, its secure file transfer protocol provider.

As previously reported, threat actors leveraged a pre-authentication command injection vulnerability in Fortra’s GoAnywhere MFT solution. The Health Sector Cybersecurity Coordination Center (HC3) issued an alert in February to warn the healthcare sector specifically about Clop ransomware’s claims that it had leveraged the vulnerability to target more than 130 organizations.

In the case of ITx, the RCM vendor took steps to investigate the incident immediately and conduct a review of the impacted information. The investigation determined that names, addresses, diagnoses and medication information, billing and insurance information, and Social Security numbers were potentially subject to unauthorized access as a result of this incident.

“To protect against an incident like this from reoccurring, Fortra informed us that it has deleted the unauthorized party’s accounts, rebuilt the secure file transfer platform with system limitations and restrictions, and produced a patch for the software,” the notice stated.

“ITx has also implemented additional security measures, including immediate steps to implement measures to harden the security of ITx’s use of the GoAnywhere platform. Both ITx and Fortra have notified federal law enforcement about the Fortra Event and are cooperating with law enforcement’s investigation of the Fortra Event.”

In addition to ITx, Santa Clara Family Health Plan, Community Health Systems and Blue Shield of California, along with organizations in other sectors, have disclosed breaches tied to the vulnerability.

In April, Fortra published its findings from its investigation into the GoAnywhere MFT breach in collaboration with Palo Alto Networks' Unit 42 threat intelligence team. Fortra determined that an unauthorized party had leveraged a previously unknown zero-day remote code execution (RCE) vulnerability to gain access to customer systems.

“Our initial investigation revealed the unauthorized party used CVE-2023-0669 to create unauthorized user accounts in some MFTaaS customer environments,” Fortra stated.

“For a subset of these customers, the unauthorized party leveraged these user accounts to download files from their hosted MFTaaS environments. We prioritized communication with each of these customers to share as much relevant information as available to their specific instance of the GoAnywhere platform.”

Following remediation of this vulnerability, Fortra recommended that organizations rotate their Master Encryption Keys, reset credentials, and review audit logs for suspicious activity.