Cyber Incident Victim: WellBe Senior Medical
Date:
Jan 2023
Location:
United States of America
Summary
WellBe Senior Medical experienced a data breach involving unauthorized access to sensitive patient information through a vulnerability in Fortra's GoAnywhere platform exploited by the Clop ransomware group. Compromised data included patient names, addresses, dates of birth, medical diagnoses, health plan and medical record identifiers, procedure codes, and service dates. The attackers exfiltrated files containing insurance details, clinical measurements, financial reports, and audio recordings of patient calls disclosing medical conditions and coverage information. This incident was part of a broader campaign targeting multiple healthcare entities, with Clop leaking partial datasets to pressure victims for ransom payments.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The Fortra/GoAnywhere breach impacting WellBe Senior Medical stemmed from threat actors exploiting a vulnerability in Fortra’s managed file transfer (MFT) solution, GoAnywhere, around January 2023. Clop ransomware group claimed responsibility, exfiltrating data from multiple Fortra clients and initiating extortion attempts by listing victims on their leak site and leaking stolen data samples. WellBe, a home healthcare provider, was among the affected healthcare entities. Clop specifically asserted it acquired WellBe files including PDFs, TXT documents, XLSX spreadsheets, and CSV databases containing patient names, addresses, dates of birth, genders, medical diagnoses, diagnosis codes, procedure codes, health plan ID numbers, medical record IDs, and dates of service. Additional compromised data included financial reports, pulse measurement results, and internal .mp3 recordings of patient calls where representatives discussed insurance details, diagnoses, and care needs, inadvertently exposing sensitive audio PHI. The breach’s operational impact on WellBe’s systems or services was not detailed in available disclosures.
WellBe publicly disclosed the incident on April 10, 2023, confirming the variability in compromised data types per individual but not specifying the total number of affected patients. The notification clarified that Clop leaked screencaps containing PHI, internal documents, provider information, and patient call recordings as proof of data acquisition. WellBe did not indicate paying a ransom or engaging in negotiations with Clop, nor was it explicitly listed on Clop’s leak site at the time of disclosure. The breach exposed patients to heightened risks of identity theft, medical fraud, and privacy violations due to the sensitivity of the stolen health and insurance data. No containment measures, forensic findings, or post-incident system modifications by WellBe were described in the source material. Other healthcare entities linked to the same Fortra vulnerability, including NationsBenefits and HelloBrightline, reported affected patient counts ranging from thousands to millions, though WellBe’s scope remained unquantified publicly. Fortra declined to confirm whether it notified HHS or patients directly regarding breaches at client organizations like WellBe.