Data Breaches Reported by Brightline, University Urology, McPherson Hospital and Catholic Health

Brightline Reports Approximately 964,300 Individuals Impacted by Fortra GoAnywhere Hack

Brightline, a company offering virtual behavioral and mental services to households, has reported being affected by the cyberattack on Fortra’s GoAnywhere MFT file transfer solution. The attackers exploited a zero-day vulnerability targeting 130 companies during a 10-day period beginning on January 18, 2023. Although the Clop threat group carries out ransomware attacks, it did not use ransomware in these attacks. Just like the attacks involving the Accellion File Transfer Appliance (FTA) in 2021, the Clop group carried out data theft and extortion without encrypting files.

Brightline mentioned in the breach notification posted on its website that the attack happened on January 30, 2023. It also stated the result of Fortra’s investigation confirming the download of files that included protected health information (PHI). Fortra notified Brightline concerning the attack on February 4, 2023. Brightline conducted an internal investigation and confirmed that the attack only affected the data inside the GoAnywhere solution. There was no compromise of its systems. Right after finding out the scope of the breach and the persons impacted, Brightline began sending notifications to the impacted HIPAA-Covered Entities. The breach affected names, addresses, birth dates, member ID numbers, date of health plan coverage, and/or names of employers. Impacted persons received free credit monitoring services for two years.

Because of the breach, Brightline blocked the use of unauthorized users’ credentials to access information, switched off the GoAnywhere service, and restored it after addressing the zero-day vulnerability. More data security procedures were likewise applied, which include restricting access to confirmed users, taking away all information in the service, and reducing data exposure until another file transfer solution could be put in place. Brightline notified the impacted persons beginning on April 7, 2023 and issued notifications on behalf of a few impacted Covered Entities. The Clop group listed Brightline on its data leak site on March 16, 2023, but now the list is gone. Although this usually just happens if a ransom is paid, a Clop group member told Bleeping Computer that Brightline’s data were removed because the group did not know the type of business done by Brightline. The group member also apologized for the incident, which implies that there was no ransom payment.

Brightline has released a listing of 58 HIPAA-Covered Entities, which were impacted by the data breach. So far, 9 entities have submitted data breach notifications to OCR indicating that the breach affected 964,300 persons. Those notifications suggest that 4,044 to 462,241 individuals were impacted. It is not clear to what degree the notifications were issued to the 58 impacted Covered Entities. In case a different breach notification is given for every impacted Covered Entity, 49 of the impacted Covered Entities might be distributing their own breach notifications, which would probably bring the total number of impacted individuals higher than 1,000,000. A few of the notifications sent to state attorneys general by the impacted clients declare that Brightline gave several requests to Fortra requesting it to send notifications to impacted persons and regulators, however, Fortra declined.

The 58 affected covered entities that were identified are listed below:

  • IUOE
  • Insitu, Inc.
  • Kodiak Island Borough School District
  • Keller Supply
  • KPMG LLP
  • Legal Name: Continental Mills, Inc. Common Name: The Krusteaz Co
  • Manke Lumber Company Inc.
  • MacDonald-Miller Facility Solutions, LLC
  • Municipality of Anchorage
  • MIIA
  • Northwest Cascade, Inc.
  • Nintendo of America Inc.
  • Oberto Snacks Inc.
  • Pyrotek Inc
  • PND Engineers, Inc.
  • Rail Management Services
  • Seward Association for the Advancement of Marine Science dba Alaska SeaLife Center
  • Seagen Inc.
  • SOUTH SHORE HEALTH
  • SolstenXP, Inc.
  • Space Needle LLC & Center Art LLC
  • Stanford Health Care – ValleyCare Employee Health Care Plan
  • Stanford University Post-doctoral Scholars
  • Stanford Medicine Partners Employee Health and Welfare Benefit Plan
  • Stanford Health Care Employee Health and Welfare Benefit Plan
  • Spokane Teachers Credit Union
  • Symetra Life Insurance Company
  • The Board of Directors of the Leland Stanford Junior University (Educated Choices)
  • Tanana Chiefs Conference
  • University of Alaska
  • Undead Labs
  • VERTEX
  • Washington Trust Bank
  • Walla Walla University
  • Whitman College

University Urology Hacking Incident

University Urology in New York City has begun alerting 56,816 persons about the potential access and theft of their personal and health data by unauthorized individuals. The university detected suspicious activity in its computer network on February 1, 2023, and engaged third-party cybersecurity specialists to perform a forensic analysis and find out the nature and extent of the attack. On March 3, 2023, the investigation team confirmed the access of files inside its network. The team finished the manual analysis of those files on March 30, 2023, validated the contact details, and sent the notification letters on May 1, 2023.

The exposed data was different from one person to another and may have contained first and last names, birth dates, addresses, health conditions, medical treatment, test findings, prescription data, medical insurance data, health plan beneficiary numbers, subscriber ID numbers, billing/invoice details, and username/email address and passwords/security Q&A used for account access.

University Urology mentioned that Sentinel One agents were stationed for 30 days, which permitted the cybersecurity company to check its system for indicators of compromise and malicious activity. As of this time, all methods of persistence, malicious files, and unauthorized remote access tools were eliminated from its systems, and extra security procedures are enforced.

Although there are no reported incidents of attempted or actual misuse of the compromised information, the university offered free credit monitoring and identity theft protection services to impacted persons for one or two years.

McPherson Hospital Ransomware Attack

McPherson Hospital based in Kansas recently released notification letters to 19,020 individuals to advise them regarding a July 2022 ransomware attack. Based on the breach notifications, third-party cybersecurity specialists investigated the data breach to find out the scope of the unauthorized action and help secure its systems. On March 15, 2023, the internal investigation confirmed access to patient data that may include names, birth dates, Social Security numbers, medical insurance data, medical treatment data, and billing details. The healthcare provider sent notification letters in early May, which is about 10 months since the attack happened. It also provided free single-bureau credit monitoring services to the affected individuals. According to McPherson Hospital, it has reviewed and improved technical safeguards to avoid the same incidents later on.

Unauthorized Access by the Employee of a Catholic Health Business Associate

Catholic Health based in New York recently reported the exposure of the PHI of a number of its long-term care residents during a security breach that occurred at Minimum Data Set Consultants (MDS), one of its business associates. MDS investigated the potential data breach last March 2023 after detecting suspicious system activity.

Based on the investigation, an unauthorized individual gained access to patient information on or about August 27, 2022. Compromised information may include names, birthdates, Medicare and Social Security numbers, and diagnosis data. A former employee of MDS was identified as that unauthorized individual. MDS stated that the employee can no longer access the system and that he/she was reported to law enforcement. It is believed that patient information is not accessed with the intent to commit identity theft or fraud. Nevertheless, impacted persons were advised to track their accounts for suspicious transactions.

The number of affected patients is currently unknown.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone