NationsBenefits logo (image source: NationsBenefits (businesswire), n.d.
One-sentence summary:
NationsBenefits was breached by the Clop ransomware group in the early 2023 Fortra breach campaign, affecting over 15,000+ consumers and potentially Aetna customers.
Who was involved?
NationsBenefits Holding, LLC, Fortra, LLC, Santa Clara Family Health Plan (SCFHP), 15,971+ consumers, potentially Aetna, and the Clop ransomware group.
What was the timeline?
January 30, 2023: NationsBenefits is part of a breach targeting multiple organizations via Fortra
February 7, 2023: NationsBenefits discovers the breach
April 13, 2023: NationsBenefits begins consumer notification
What occurred?
NationsBenefits was breached in the Clop ransomware group campaign against Fortra GoAnywhere clients, previously reported in a separate breach report on Community Health Systems (CHS) (SC Staff, 2023). Breach notification filings for NationsBenefits were found in many states, but the personal information involved has been redacted. Breached data per a news agency allegedly included “first name, middle initial, last name, gender, health plan ID number, address, phone number and date of birth” (Lampariello, 2023). No official headcount has been released, but just in Delaware alone, 15,971 consumers were identified in their breach notification (NationsBenefits, 2023b). NationsBenefits is also identified as a vendor for Aetna health insurance, associating Aetna with the breach (Lampariello, 2023). Finally, Santa Clara Family Health Plan (SCFHP) was also identified as a client involved in the breach.
Estimated costs:
Associated incident response costs, breach notification costs, a “leading cybersecurity firm”
Involved laws:
State: Vermont: 9 V.S.A. § 2435
California: CCPA and Cal. Civ. Code § 1798.29(a)
Delaware: Del. Code Ann. tit. 6 § 12B-101 et seq.
New Hampshire: N.H. Rev. Stat. § 359-C:19 et seq.
Montana: Mont. Code Ann. § 30-14-1704
Root cause:
The zero-day, remote code execution vulnerability in Fortra’s GoAnywhere MFT solution (CVE-2023-0669) (Gatlan, 2023, paras. 8-11; Duffy, 2023, p. 1).
Lessons learned:
TBA or N/A (see disclaimer) (GoAnywhere is marketed as a HIPAA and HITECH-compliant SFTP solution) (Fortra, n.d.).
Sources:
Duffy, R. (2023). Re: Data Security Incident. In Security Breach Notifications. New Hampshire Department of Justice Office of the Attorney General. Retrieved May 4, 2023, from https://www.doj.nh.gov/consumer/security-breaches/documents/nationsbenefits-holdings-20230413.pdf
Fortra. (n.d.). HIPAA & HITECH Compliant File Transfers. goanywhere.com. Retrieved February 16, 2023, from https://www.goanywhere.com/solutions/compliance/hipaa-hitech
Gatlan, S. (2023, February 14). Healthcare giant CHS reports first data breach in GoAnywhere hacks. BleepingComputer. Retrieved February 16, 2023, from https://www.bleepingcomputer.com/news/security/healthcare-giant-chs-reports-first-data-breach-in-goanywhere-hacks/
Lampariello, D. (2023, May 3). Vendor for Aetna insurance announces data breach. WGME. Retrieved May 3, 2023, from https://wgme.com/news/i-team/vendor-aetna-insurance-data-breach-maine
NationsBenefits. (2023a). 2023-04-13 NationsBenefits Holdings Data Breach Notice to Consumers.pdf. In Charity R. Clark Office of the Vermont Attorney General. State of Vermont. Retrieved May 3, 2023, from https://ago.vermont.gov/sites/ago/files/2023-04/2023-04-13%20NationsBenefits%20Holdings%20Data%20Breach%20Notice%20to%20Consumers.pdf
NationsBenefits. (2023b). Data Security Breach Database. In DELAWARE DEPARTMENT OF JUSTICE ATTORNEY GENERAL KATHY JENNINGS. State of Delaware. Retrieved May 3, 2023, from https://attorneygeneral.delaware.gov/fraud/cpu/securitybreachnotification/database/
NationsBenefits (businesswire). (n.d.). NationsBenefits-logo-horiz-c.jpg. Businesswire. https://mms.businesswire.com/media/20210826005241/en/1040665/23/NationsBenefits-logo-horiz-c.jpg
SC Staff. (2023). NationsBenefits impacted by Clop GoAnywhere attacks. SC Media. https://www.scmagazine.com/brief/ransomware/nationsbenefits-impacted-by-clop-goanywhere-attacks
