Cyber Incident Victim: CloudMed
Date:
Feb 2023
Location:
United States of America
Summary
CloudMed, a revenue management business associate, was impacted by a breach involving the exploitation of a vulnerability in Fortra's GoAnywhere file transfer service. The Clop threat actor claimed exfiltration of customer databases containing hospital patient data such as names, addresses, Social Security numbers, insurance details, diagnoses, and physician information, alongside log files with login credentials, hashed passwords, and file transfer records. Initial analysis of leaked samples indicated no protected health information was present in the first data release, though the breach exposed internal transmission documentation, with uncertainty remaining regarding the full scope of compromised data or additional leaks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The Fortra/GoAnywhere breach, discovered in early February 2023, involved threat actors exploiting a vulnerability in Fortra's secure file transfer software, GoAnywhere. Clop, the ransomware group behind the attack, exfiltrated data from multiple healthcare entities, including CloudMed, a revenue management business associate serving hospitals. Clop listed CloudMed on its leak site and claimed to have acquired customer databases containing hospital patient information such as names, addresses, Social Security numbers, phone numbers, insurance details, diagnosis names, and treating physicians' names. Additionally, Clop asserted it obtained log files from CloudMed’s GoAnywhere system, including login credentials, hashed passwords, email addresses, and records of files transferred through the platform. Initial analysis of the limited data Clop leaked from CloudMed in the first phase did not reveal protected health information (PHI), but it confirmed documentation of file transmissions via the compromised system. The full scope of CloudMed’s data exposure remained unclear, as Clop did not specify how many additional data batches would be released.
CloudMed did not issue public notifications or press releases about the breach by April 22, 2023, nor did it respond to multiple inquiries from DataBreaches.net in March and April. The absence of disclosure occurred despite HIPAA’s 60-day notification deadline for breaches involving PHI, raising concerns about delayed risk communication to affected patients and clients. The broader Fortra/GoAnywhere incident impacted at least 15 healthcare-related entities, with Clop leaking data from providers like Homewood Health, Multiplan, and MedExHCO, which contained unredacted PHI, employee records, and financial documents. HHS confirmed it would investigate covered entities and business associates linked to the breach, emphasizing compliance with HIPAA Security Rule requirements for risk analysis and securing electronic PHI during file transfers. By June 2023, related breaches at Intellihartx LLC (ITx) and other third-party vendors had exposed nearly 500,000 patient records, underscoring the cascading risks of the Fortra compromise. Patients whose data was leaked on Clop’s dark web site were not formally notified by CloudMed or several other entities months after the breach, leaving individuals unaware of potential identity theft or fraud risks stemming from the incident.