Another corporate giant has confirmed thousands of healthcare members had information stolen in the cyberattack targeting Fortra customers.
Florida-based technology company NationsBenefits said in a data breach notice filed with New Hampshire’s attorney general that more than 7,100 state residents had their personal information stolen in the late-January ransomware attack on Fortra’s systems.
NationsBenefits provides supplemental benefits for health insurance members, such as vision, hearing and over-the-counter drugs.
The data breach notice said hackers stole personal information of NationsBenefits members stored in its Fortra-hosted instance of GoAnywhere, a file transfer software tool used by thousands of organizations to share large sets of data over the internet.
Hackers used a previously unknown vulnerability to raid dozens of customer GoAnywhere instances hosted by Fortra in the January mass-hack. The Clop ransomware gang claimed responsibility, alleging it stole data on more than a hundred organizations.
NationsBenefits did not say in its data breach notice what specific members’ personal information was stolen in the attack.
When reached by TechCrunch, NationsBenefits spokesperson Michael Fried declined to say what specific members’ data was stolen in the incident, adding that the company is “complying with all legal and commercial obligations in response to this incident.”
It’s not known how many individuals residing outside of New Hampshire are affected. NationsBenefits also filed a data breach notice in California, but companies are not obligated under the state’s law to disclose how many residents are affected by a data breach. Companies typically have to disclose data breaches in California when 500 residents or more are affected.
NationsBenefits has more than 20 million members across the United States. The company’s spokesperson declined to say how many of its millions of members are affected by the breach, when asked.
The healthcare benefits company is the latest Fortra customer to confirm it was affected by the January breach. U.S. healthcare giant Community Health Systems was the first confirmed victim and one of the worst affected, with the hackers claiming to have stolen data on at least one million patients. Consumer goods giant Procter & Gamble, healthcare program provider US Wellness, investment giant Onex, the U.K.’s Pension Protection Fund, Brightline, and the City of Toronto have all confirmed data thefts following the hack.
Fortra has faced criticism for its poor handling of the breach, which included hiding details of the zero-day exploit behind a customer login wall. News of the breach only came to light when security reporter Brian Krebs published the company’s hidden disclosure online. Fortra patched the vulnerability a week later.
TechCrunch reported that Fortra told some customers that their data was safe, only to find that their data was stolen after hackers sent a ransom demand.
NationsBenefits acknowledged in its statement that, “Only after we contacted Fortra did they confirm the existence of the vulnerability.”
In its first public acknowledgement of the breach, Fortra said in a blog post Tuesday that customers running their own on-premise server were hacked almost two weeks before Fortra’s hosted systems were compromised.
Fortra spokesperson Rachel Woodford declined to say how many customers are affected or comment beyond the company’s blog post.