Kyler Kent CISSP 
Photo by Los Muertos Crew on <a href="https://www.pexels.com/photo/a-woman-in-black-tank-top-wearing-a-white-face-mask-8460348/" rel="nofollow">Pexels.com</a>
One-sentence summary:
In 2023, Community Health Systems (CHS), INC., through their partnership with Fortra’s GoAnywhere MFT (Managed File Transfer) solution, was likely breached through an emerging RCE (remote code execution) vulnerability in the MFT by potentially the Clop ransomware group, affecting approximately one million patients.
Who was involved?
Community Health Systems (CHS), INC., Fortra, potentially the Clop ransomware group, and one million patients.
What was the timeline?
February 10, 2023: CVE-2023-0669 (Fortra GoAnywhere MFT Remote Code Execution Vulnerability), allegedly the vulnerability used to penetrate Community Health Systems (CHS), INC., was published in the NVD (National Vulnerability Database) on February 10, 2023 (NIST, 2023).
February 13, 2023: Community Health Systems (CHS), INC.’s Form 8-K SEC (Securities and Exchange Commission) filing does not currently indicate a breach timeline, but was published on February 13, 2023 (Community Health Systems, 2023).
What occurred?
The Clop ransomware group claimed in February 2023 they exploited CVE-2023-0669 on 100+ victim organizations and exfiltrated a substantial amount of patient data and is temporally associated with the attack on Community Health Systems (CHS), INC’s Fortra MFT system (Gatlan, 2023, para. 8). The vulnerability does not require authentication, is fully remote, and deserializes an “attacker-controlled object” (NIST, 2023). One million patients of CHS are potentially affected by the breach (Community Health Systems, 2023, para. 2).
Estimated costs:
Incident response costs so far but pending further direct costs, like data breach notification costs. Indirect costs: stocks plummeting (Halleman, 2023).
Involved laws:
Securities Exchange Act of 1934 (Community Health Systems, 2023). HIPAA and HITECH (45 CFR Part 164). Potentially state laws due to national presence (Community Health Systems, 2023, para. 3).
Root cause:
Potentially the remote code execution vulnerability in Fortra’s GoAnywhere MFT solution (CVE-2023-0669) (Gatlan, 2023, paras. 8-11).
Lessons learned:
TBA or N/A (see disclaimer) (GoAnywhere is marketed as a HIPAA and HITECH-compliant SFTP solution) (Fortra, n.d.).
Sources:
Community Health Systems. (2023). FORM 8-K. In Community Health Systems. Community Health Systems Press Room & Media Releases. Retrieved February 16, 2023, from https://chsnet.gcs-web.com/node/22076/html
Fortra. (n.d.). HIPAA & HITECH Compliant File Transfers. goanywhere.com. Retrieved February 16, 2023, from https://www.goanywhere.com/solutions/compliance/hipaa-hitech
Gatlan, S. (2023, February 14). Healthcare giant CHS reports first data breach in GoAnywhere hacks. BleepingComputer. Retrieved February 16, 2023, from https://www.bleepingcomputer.com/news/security/healthcare-giant-chs-reports-first-data-breach-in-goanywhere-hacks/
Halleman, S. (2023, February 16). CHS posts 2022 profit dip on heels of cyber breach. Healthcare Dive. https://www.healthcaredive.com/news/community-health-systems-posts-2022-profit-fall-cyber-breach-earnings/642878/
NIST. (2023, February 15). NVD – CVE-2023-0669. NIST.gov. Retrieved February 16, 2023, from https://nvd.nist.gov/vuln/detail/CVE-2023-0669
Hack?