Cyber Incident Victim: Kannact
Date:
Feb 2023
Location:
United States of America
Summary
A healthcare organization experienced an external system breach involving unauthorized access to sensitive data through a compromised third-party file transfer tool (Fortra/GoAnywhere) exploited by the Clop ransomware group. The incident exposed personal identifiers, Social Security numbers, driver's license details, protected health information including medical diagnoses and treatment records, and other personally identifiable data. Over 117,000 individuals nationwide were impacted, leading to written notifications and offers of 12 months of credit monitoring and identity theft protection services. The attackers publicly leaked portions of the stolen data, confirming the acquisition of customer files containing names, birthdates, contact information, and SSNs.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On February 6, 2023, Kannact, Inc., a healthcare organization providing employee health coaching services, experienced an external system breach involving unauthorized access to its data. The breach, attributed to the exploitation of a vulnerability in Fortra’s GoAnywhere platform, was discovered on March 13, 2023. Threat actors associated with the Clop ransomware group claimed responsibility, listing Kannact on their leak site and publishing samples of stolen data to pressure the company. The attackers acquired files containing customer and employee data, including names, dates of birth, addresses, phone numbers, email addresses, Social Security Numbers, driver’s license numbers, and protected health information such as medical diagnoses, treatment details, pharmaceutical records, and Kannact IDs. Screencaps leaked by Clop included Magellan Rx management records with identifiable individual information, corroborating the theft of sensitive data. The breach impacted 117,968 individuals nationwide, including 284 Maine residents, though initial notifications to the Maine Attorney General’s Office on April 13, 2023, indicated the total number affected was still under investigation at that time.
Kannact initiated written notifications to affected consumers on August 14, 2023, over six months after the breach occurred. The company offered 12 months of credit monitoring and identity theft protection services to impacted individuals. Its disclosure to regulators confirmed the breach stemmed from a hacking incident targeting Fortra’s file-transfer software, part of a broader campaign affecting multiple healthcare entities. Clop’s leak site included spreadsheets, text files, and CSV databases containing Kannact’s stolen information, with the group gradually releasing data in multiple updates. The compromised data exposed individuals to potential identity theft and medical fraud due to the inclusion of Social Security Numbers and detailed health records. Kannact’s notification did not specify whether ransomware payments were demanded or made, and the company’s public statement emphasized the variability in the types of information exposed per individual. The incident highlighted systemic risks associated with third-party software vulnerabilities in the healthcare sector, as Fortra’s GoAnywhere exploit impacted at least six North American healthcare providers or business associates, including entities with significantly larger patient exposures.