Cyber Incident Victim: MedMinder
Date:
Jan 2023
Location:
United States of America
Summary
A ransomware attack exploiting a vulnerability in Fortra's GoAnywhere MFT file transfer software impacted approximately 130 organizations, including MedMinder, with the Russia-linked Clop gang claiming responsibility for the mass breach. The attackers exfiltrated sensitive data such as employee personal information, customer records, and healthcare data from multiple victims, though MedMinder's specific compromised data remains under investigation. While some organizations confirmed data theft affecting millions of individuals, others disputed the severity or relevance of accessed information, with MedMinder acknowledging the allegations but declining further comment during its ongoing review of the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The mass-ransomware attack exploiting a vulnerability in Fortra's GoAnywhere secure file transfer tool emerged in late January or early February 2023, though the precise start date remains unspecified. The Russia-linked Clop ransomware gang exploited a zero-day vulnerability in GoAnywhere, a widely used enterprise file transfer solution, to compromise data from numerous organizations. Fortra, the software's developer, had concealed details of the vulnerability behind a login portal until independent security reporter Brian Krebs publicly disclosed the flaw on February 2. Fortra released patches on February 7, but attackers had already exfiltrated data from multiple victims during the window of exposure. Clop claimed to have breached 130 organizations through this campaign but had publicly listed fewer than half on its dark web leak site by March 2023, using the site to extort victims by threatening data publication unless ransoms were paid.
Healthcare provider Community Health Systems confirmed the theft of health data belonging to at least 1 million patients from its GoAnywhere system, becoming one of the earliest identified victims. Other confirmed victims included Hatch Bank, cybersecurity firm Rubrik, Canadian financial institution Investissement Québec, and Hitachi Energy, all attributing their breaches to compromised GoAnywhere instances. The City of Toronto initially denied data exfiltration on March 20 but revised its statement on March 23 to confirm unauthorized access via its third-party GoAnywhere system. MedMinder, identified as a GoAnywhere user, was listed on Clop's leak site, with spokesperson Stacy Clougherty acknowledging awareness of the allegations but declining further comment pending investigation. Several organizations disputed Clop's claims, including AvidXchange, which asserted no data resided on Fortra's platform, and Saks Fifth Avenue, which stated only mock customer test data was stolen. Fortra did not publicly confirm whether its internal systems hosting customer data were compromised or provide a list of affected customers, despite multiple inquiries from TechCrunch. The incident's full scope remained unclear as of March 2023, with numerous listed organizations—including Galderma, ITx Companies, and Homewood Health—not publicly confirming breaches despite evidence of their GoAnywhere usage. Clop published samples of stolen data from Onex Corporation, including employee details and financial documents, though many victim organizations continued investigating potential impacts without disclosing specifics.