Cyber Incident Victim: Community Health Systems

On or around February 13, 2023, Tennessee-based Community Health Systems, Inc. (CHS) filed an 8-K disclosure with the U.S. Securities and Exchange Commission revealing a data breach impacting approximately one million patients. The breach stemmed from a security incident at Fortra, LLC, a cybersecurity vendor providing CHS affiliates with GoAnywhere secure file transfer software. Fortra notified CHS that attackers exploited a vulnerability in its GoAnywhere platform, resulting in unauthorized access to and exfiltration of protected health information (PHI) and personal information (PI) belonging to CHS patients. The threat actors did not compromise CHS’s internal systems directly but instead targeted the third-party vendor’s file transfer service. CHS clarified the incident did not disrupt patient care delivery despite the exposure of sensitive data governed by HIPAA regulations.

The attackers, identified as the Clop ransomware group by cybersecurity outlet Bleeping Computer, contacted media claiming responsibility for breaching 130 organizations through a zero-day exploit in GoAnywhere. Clop stated their operation focused solely on data theft rather than deploying encryption payloads, indicating a shift from prior ransomware tactics. CHS’s SEC filing provided no technical specifics about Fortra’s vulnerability but confirmed the compromise led to PHI/PI exposure across unnamed affiliates. The healthcare system estimated the breach affected one million individuals, though the exact types of exposed data elements (e.g., names, diagnoses, or financial details) remained undisclosed. Neither CHS nor Fortra provided timelines for detection, containment, or forensic analysis completion in the initial disclosure. As of the filing date, the breach had not been posted to the U.S. Department of Health and Human Services’ public breach portal, suggesting regulatory reporting remained ongoing.