Cyber Incident Victim: Allied Benefit
Date:
Feb 2023
Location:
United States of America
Summary
Allied Benefit was impacted by a widespread cybersecurity incident involving the exploitation of a vulnerability in Fortra's GoAnywhere file-transfer service by the Clop ransomware group. The attackers exfiltrated sensitive data including protected health information, payment records for medicines with personal identifiers, medical company databases containing addresses and tax IDs, and employee details such as names and contact information. Leaked data samples revealed client FTP server folders, indicating unauthorized access to third-party systems. The breach affected multiple healthcare-related entities, with Clop leaking stolen information on their dark web site to pressure victims into paying extortion demands, though Allied Benefit's specific notification status remained unclear at the time of reporting.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The Fortra/GoAnywhere breach, discovered in early February 2023, involved exploitation of a vulnerability in Fortra’s secure file transfer software, GoAnywhere. Clop ransomware group claimed responsibility, exfiltrating data from multiple healthcare entities using the platform. Allied Benefit Systems was identified as one of the affected organizations, appearing on Clop’s dark web leak site alongside other healthcare providers and business associates. Clop alleged possession of Allied Benefit data including FTP server information from medical companies, payment records containing names, IDs, drug details, medical company databases with tax IDs and billing addresses, employee databases with contact information, and encrypted archives. Forensic inspection of initially leaked data confirmed the presence of client FTP server folders, though full data analysis remained incomplete at the time of reporting.
Allied Benefit did not issue public breach notifications or respond to multiple media inquiries between March and April 2023. This lack of disclosure occurred despite HIPAA’s 60-day notification requirement for breaches involving protected health information, as Fortra had alerted affected clients in early February. Clop leaked partial datasets to pressure victims into ransom payments, with Allied Benefit’s data exposure potentially impacting both individual patients and partner organizations through the compromised FTP server information. The incident mirrored Clop’s 2021 Accellion file-transfer breach tactics, prompting HHS to confirm it would investigate all covered entities’ security practices and breach responses. Over 1 million patients were already confirmed affected across all entities in the Fortra breach by April 2023, with additional reports emerging through June 2023 including nearly 500,000 patients impacted through business associate Intellihartx. HHS emphasized covered entities’ obligation to conduct risk analyses addressing file transfer vulnerabilities, referencing prior enforcement actions involving FTP server breaches.