Cyber Incident Victim: Multiplan
Date:
Feb 2023
Location:
United States of America
Summary
A healthcare entity, Multiplan, was compromised through a third-party breach involving Fortra's GoAnywhere file transfer service, where threat actors exploited a vulnerability to exfiltrate sensitive data. The attackers, identified as Clop, leaked 3TB of information including folders for multiple providers and health plans, criticizing the organization for allegedly delaying breach disclosure until after quarterly reports. This incident was part of a broader campaign impacting numerous healthcare entities, with stolen data containing protected health information and personal details leaked on the dark web to pressure victims into paying extortion demands.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The Multiplan incident stemmed from a widespread exploitation of a vulnerability in Fortra's GoAnywhere file transfer service by the Clop ransomware group in early 2023. Attackers breached the system on or around February 2, 2023, exfiltrating approximately 3TB of data from Multiplan, a healthcare revenue management entity. Clop listed Multiplan on its leak site and adopted an unusually aggressive tone, accusing the company of negotiating in bad faith to delay breach disclosure until after quarterly financial reporting. The group alleged Multiplan prioritized market manipulation over customer security, explicitly urging investors to question corporate leadership. Clop released an initial data dump structured across 32 separate folders, each corresponding to different healthcare providers or health plans serviced by Multiplan. While the exact contents of the leaked data were not fully detailed in available reports, directory listings suggested extensive exposure of client-related information.
Multiplan did not issue immediate public notifications or acknowledge the breach in response to Clop’s claims, drawing criticism for lack of transparency. The absence of confirmed patient data disclosures in initial leaks contrasted with Clop’s broader pattern of leaking protected health information from other victims like Homewood Health and ITx. HHS emphasized that HIPAA-covered entities like Multiplan must investigate breaches and notify affected individuals within 60 days of discovery, though Multiplan’s compliance timeline remained unclear. By April 2023, no Multiplan breach submission appeared on HHS’s public reporting tool, and the company had not responded to media inquiries regarding its response plan. The incident highlighted systemic risks in third-party file transfer systems, with HHS reiterating obligations for rigorous risk assessments and FTP server security under existing HIPAA guidance. Ongoing federal investigations into Fortra-related breaches focused on evaluating victim organizations’ pre-breach security postures and notification timeliness.