Health info for 1 million patients stolen using critical GoAnywhere vulnerability
One of the biggest hospital chains in the US said hackers obtained protected health information for 1 million patients after exploiting a vulnerability in an enterprise software product called GoAnywhere.
Community Health Systems of Franklin, Tennessee, said in a filing with the Securities and Exchange Commission on Monday that the attack targeted GoAnywhere MFT, a managed file transfer product Fortra licenses to large organizations. The filing said that an ongoing investigation has so far revealed that the hack likely affected 1 million individuals. The compromised data included protected health information as defined by the Health Insurance Portability and Accountability Act, as well as patients’ personal information.
Two weeks ago, journalist Brian Krebs said on Mastodon that cybersecurity firm Fortra had issued a private advisory to customers warning that the company had recently learned of a “zero-day remote code injection exploit” targeting GoAnywhere. The vulnerability has since gained the designation CVE-2023-0669. Fortra patched the vulnerability on February 7 with the release of 7.1.2.