Cyber Incident Victim: Homewood Health
Date:
Jan 2023
Location:
Canada
Summary
A mass-ransomware attack exploited a vulnerability in Fortra's GoAnywhere secure file transfer tool, impacting numerous organizations globally. The Russia-linked Clop gang claimed compromise of approximately 130 entities, though fewer than half were publicly listed, and stole sensitive data including employee information, patient health records, and financial documents. Confirmed victims included healthcare providers, financial institutions, and government entities, with impacts ranging from exfiltration of mock customer data to theft of personal and medical information affecting over one million individuals. Homewood Health was identified as a GoAnywhere user but did not publicly confirm or deny compromise when contacted, alongside other organizations that either disputed data theft or remained under investigation. The attackers leveraged stolen data for extortion via dark web leak site threats.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The mass-ransomware attack exploiting a vulnerability in Fortra's GoAnywhere MFT file transfer software began in late January or early February 2023, though the exact intrusion date remains unspecified. The Russia-linked Clop ransomware gang claimed responsibility, asserting it had compromised data from 130 organizations using the software. Fortra, the developer of GoAnywhere, had initially concealed details of the critical vulnerability behind a customer login portal until independent security reporter Brian Krebs exposed it publicly on February 2. Fortra released security patches on February 7, but by then, attackers had already exfiltrated substantial data from multiple victims. Clop gradually listed affected organizations on its dark web leak site throughout March, threatening to publish stolen files unless ransom demands were met, though fewer than half of the claimed 130 victims were publicly identified by late March.
Healthcare provider Community Health Systems confirmed the theft of health data belonging to at least 1 million patients from its GoAnywhere instance. Other confirmed victims included Hatch Bank, Rubrik, Investissement Québec, and Hitachi Energy, all reporting employee personal information theft. The City of Toronto initially denied data exfiltration on March 20 but revised its statement on March 23, acknowledging unauthorized access through its third-party GoAnywhere system. Several organizations disputed Clop's claims, including AvidXchange, which asserted no data was stored on Fortra's platform, and Saks Fifth Avenue, which confirmed only mock test data was stolen. Multiple listed organizations declined to comment or verify impacts, including Swiss pharmaceutical firm Galderma, healthcare ITx Companies, and Canadian mental health provider Homewood Health, which did not respond to repeated inquiries. Homewood Health's use of GoAnywhere was confirmed, but the extent of data compromise—if any—remained unverified as the company neither acknowledged nor denied the breach during the investigation period. Clop released limited data samples from victim Onex, containing tax forms and employee records, while Fortra itself refused to disclose whether its internal systems hosting customer data were breached. The incident's full scope remained unclear due to non-disclosure by numerous affected entities and Fortra's lack of public communication regarding customer notifications.