Community Health Group

Your Personal Info Could Be

Exposed Online After

This Hospital Breach

Breach Description

Community Health Group (CHG) in California experienced a significant data breach that was part of a larger cyberattack targeting the GoAnywhere Managed File Transfer (MFT) platform by Fortra. This breach affected nearly 1 million patients’ sensitive personal information[2][3][4][6][12].

The breach occurred due to a zero-day vulnerability (CVE-2023-0669) in the GoAnywhere MFT platform, which was exploited by attackers[3]. The unauthorized access took place between January 28 and January 30, 2023[12]. The ransomware gang known as Clop claimed responsibility for the attack, which was one of the 130 attacks they launched involving the GoAnywhere service[2].

Compromised information includes full names, addresses, medical billing and insurance information, certain medical information such as diagnoses and medication, and demographic information such as birthdates and Social Security numbers[4]. Community Health Systems (CHS), which operates CHG, has been working with law enforcement, including the FBI and the U.S. Cybersecurity and Infrastructure Security Agency (CISA), in response to the breach[4].

CHS is offering affected individuals 24 months of free credit and identity monitoring services[4]. They have also taken steps to harden the security of their systems, including applying a patch provided by Fortra and implementing additional security measures[4][12].

For those affected by the breach, it is recommended to take advantage of the identity theft protection services offered, place a freeze on credit reports, and remain vigilant for signs of identity theft or fraud.

Citations:

  1. https://www.chgsd.com/providers/fraud
  2. https://www.idstrong.com/sentinel/community-health-systems-data-leak/
  3. https://securityaffairs.com/142242/data-breach/community-health-systems-data-breach.html
  4. https://www.bankinfosecurity.com/chs-to-notify-1-million-in-breach-linked-to-software-flaw-a-21405
  5. https://www.hipaajournal.com/four-californian-medical-groups-sued-over-data-breach-affecting-3-3-million-patients/
  6. https://www.idstrong.com/data-breaches/community-health-systems-breach/
  7. https://www.jdsupra.com/legalnews/community-healthcare-network-notifies-5438520/
  8. https://wpso.dmhc.ca.gov/enfactions/actionListing.aspx?Org=Community+Health+Group&OrgType=0
  9. https://oag.ca.gov/privacy/databreach/list
  10. https://healthitsecurity.com/news/ca-health-plan-reports-data-breach-tied-to-fortra-goanywhere-hack
  11. https://www.bleepingcomputer.com/news/security/california-medical-group-data-breach-impacts-33-million-patients/
  12. https://www.pahomepage.com/news/data-breach-impacts-community-health-systems-hospitals/
  13. https://www.databreachtoday.com/community-health-systems-faces-lawsuit-a-7238
  14. https://www.fiercehealthcare.com/tech/chs-to-pay-5m-to-28-states-to-settle-2014-data-breach
  15. https://www.chgsd.com
Breach Submission Date Feb 28, 2023
Converted Entity Name Community Health Group
Converted Entity Type Health Plan
State CA
Individuals Affected 824
Breach Type Hacking/IT Incident

Breach Information Location Network Server

Business Associate Present Yes