Cyber Incident Victim: NationsBenefits Holding
Date:
Jan 2023
Location:
United States of America
Summary
A healthcare technology company experienced unauthorized access to personal data of thousands of individuals due to a ransomware attack targeting Fortra's GoAnywhere file-transfer software. The breach occurred when hackers exploited a previously unknown vulnerability in Fortra's systems, compromising data stored on the hosted platform. Over 7,100 New Hampshire residents were confirmed affected, with potential additional impacts across its nationwide membership base exceeding 20 million individuals. The Clop ransomware gang claimed responsibility for the mass hack, which also impacted other organizations including healthcare providers and consumer goods companies. Fortra faced criticism for delayed breach disclosure and initially assuring customers of data safety before ransom demands revealed thefts. The company acknowledged the vulnerability only after direct inquiries from affected clients.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The NationsBenefits data breach stemmed from a late-January 2023 ransomware attack targeting Fortra's GoAnywhere file-transfer software, which the Florida-based healthcare benefits provider used to store member data. Attackers exploited a previously unknown vulnerability in Fortra's hosted systems to compromise NationsBenefits' instance, stealing personal information belonging to over 7,100 New Hampshire residents, as disclosed in a state regulatory filing. The Clop ransomware gang claimed responsibility for the mass hack, asserting it impacted over 100 organizations globally. NationsBenefits, which provides supplemental health benefits like vision and over-the-counter drug coverage to more than 20 million U.S. members, filed additional breach notifications in California but did not disclose total affected individuals beyond New Hampshire's confirmed cases. Fortra initially concealed details of the zero-day exploit behind a customer login portal until security reporter Brian Krebs publicly revealed the incident, prompting the vendor to release a patch approximately one week after the attack commenced. NationsBenefits stated it learned of the vulnerability only after proactively contacting Fortra, which then confirmed the intrusion. Company spokesperson Michael Fried declined to specify the types of stolen data or total impacted members, citing compliance with legal and commercial obligations.
The breach exposed systemic vulnerabilities in Fortra's security protocols and incident response, as multiple customers received false assurances their data remained secure before hackers issued ransom demands. Fortra's April 2023 blog post acknowledged that on-premise customer servers were compromised nearly two weeks prior to its hosted systems, though the company refused to quantify total affected organizations. NationsBenefits joined a list of confirmed victims including Community Health Systems (1 million+ patient records), Procter & Gamble, US Wellness, and the City of Toronto. While NationsBenefits' breach notices met state disclosure thresholds, the absence of nationwide figures left uncertainty regarding the full scale across its 20-million-member base. Fortra spokesperson Rachel Woodford declined to elaborate beyond the published statement, maintaining opacity around customer impact assessments. The incident highlighted operational dependencies on third-party file-transfer vendors, with delayed vulnerability confirmation hindering client mitigation efforts. NationsBenefits undertook regulatory notifications but did not publicize additional remediation steps beyond acknowledging Fortra's failure to proactively disclose the exploit.