Cyber Incident Victim: Medex Healthcare
Date:
Feb 2023
Location:
United States of America
Summary
A ransomware attack exploiting a vulnerability in Fortra's GoAnywhere file transfer tool impacted numerous organizations, including Medex Healthcare, through a mass-hack attributed to the Russia-linked Clop gang. The attackers compromised data from approximately 130 entities, stealing sensitive information such as employee details, tax documents, and health records from confirmed victims like Community Health Systems and Hatch Bank. While some organizations denied data theft or confirmed only non-sensitive information was accessed, Medex Healthcare was identified as a GoAnywhere user but did not respond to requests for comment regarding potential compromise. Fortra, the software developer, did not publicly disclose affected customers or confirm whether its own systems hosted victim data.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The mass-ransomware attack exploiting a vulnerability in Fortra's GoAnywhere secure file transfer software emerged in late January or early February 2023, though the precise start date remains undetermined. The Russia-linked Clop ransomware gang exploited a zero-day vulnerability in GoAnywhere, a tool widely adopted by organizations globally for transferring large datasets. Fortra, the software's developer (formerly HelpSystems), had concealed details of the vulnerability behind a login-protected advisory on its website until independent security reporter Brian Krebs exposed the flaw publicly on February 2, 2023. Fortra released patches on February 7, but by then, attackers had already compromised numerous victims. Clop claimed access to 130 organizations through this campaign but had publicly listed fewer than half on its dark web leak site by March 2023. Early confirmed victims included Community Health Systems, which reported theft of health data for 1 million patients, Hatch Bank, and cybersecurity firm Rubrik.
The attack's impact expanded throughout March 2023 as Clop added more organizations to its leak site. Fortra-hosted GoAnywhere instances appeared particularly vulnerable, though some customers using self-hosted deployments also suffered breaches. While entities like Investissement Québec and Hitachi Energy confirmed employee data theft via Fortra's systems, others denied material impacts. AvidXchange stated its GoAnywhere instance contained no stored data and was taken offline by Fortra, while Saks Fifth Avenue acknowledged theft of mock customer test data. Multiple organizations, including Swiss pharmaceutical firm Galderma, healthcare provider ITx Companies, and Medex Healthcare, were identified as GoAnywhere users but declined to confirm breaches when contacted by TechCrunch. Medex Healthcare, alongside Homewood Health, Grupo Vanti, and others, did not respond to repeated requests for comment regarding their presence on Clop's leak site or potential data exposure. The City of Toronto initially denied data exfiltration on March 20 but revised its statement on March 23 to confirm unauthorized access through its third-party GoAnywhere system. Clop's data samples from victim Onex included W-9 tax forms, payment records, and employee PII, though the full scope of stolen data across all victims remained unclear due to inconsistent disclosures and Fortra's refusal to comment on customer impacts.