Santa Clara Family Health Plan logo (image source: Santa Clara Family Health Plan (romanempireagency.com), 2017)
One-sentence summary:
Santa Clara Family Health Plan (SCFHP) was breached in January 2023 during the Clop ransomware campaign on Fortra and NationsBenefits, affecting 276,000+ Californian residents.
Who was involved?
Santa Clara Family Health Plan (SCFHP), NationsBenefits Holding, LLC, Fortra, LLC, 276,993 Californian residents, and the Clop ransomware group.
What was the timeline?
January 30, 2023: Breach occurs affecting Fortra GoAnywhere MFT systems with tenancy by NationsBenefits, affecting Santa Clara Family Health Plan (SCFHP)
February 7, 2023: SCFHP learns of the attack and begins an incident response
February 13, 2023: SCFHP discovers data was breached in the attack
March 30, 2023: Santa Clara Family Health Plan (SCFHP) notifies HHS of the breach
What occurred?
Santa Clara Family Health Plan (SCFHP) contracted services to NationsBenefits, which was previously reported in the Fortra GoAnywhere breach campaign by the Clop ransomware group. As a result, it was involved in NationsBenefit’s breach, affecting the sensitive data of over 276,993 Californian residents and may have breached: “name, demographic information (including address, phone number, gender, date of birth), phone number, health insurance number, medical ID number, Social Security number, date of service, medical device or product purchased and provider/care giver name” (NationsBenefits, n.d.; Santa Clara Family Health Plan, n.d.; HHS, 2023). Community Health Systems was also affected by the Fortra attacks, and, unfortunately, there are likely to be more organizations involved (estimated to be over 130) (Alder, 2023).
Estimated costs:
Associated incident response costs, breach notification costs, “leading cybersecurity firm,” M-F call center
Involved laws:
Federal: HIPAA and HITECH
State: CCPA and Cal. Civ. Code § 1798.29(a)
Root cause:
The zero-day, remote code execution vulnerability in Fortra’s GoAnywhere MFT solution (CVE-2023-0669) (Gatlan, 2023, paras. 8-11; Duffy, 2023, p. 1).
Lessons learned:
TBA or N/A (see disclaimer) (GoAnywhere is marketed as a HIPAA and HITECH-compliant SFTP solution) (Fortra, n.d.).
Sources:
Alder, S. (2023, April 25). 277,000 Santa Clara Family Health Plan Members Affected by GoAnywhere Hack. HIPAA Journal. Retrieved May 4, 2023, from https://www.hipaajournal.com/277000-santa-clara-family-health-plan-members-affected-by-goanywhere-hack/
Duffy, R. (2023). Re: Data Security Incident. In Security Breach Notifications. New Hampshire Department of Justice Office of the Attorney General. Retrieved May 4, 2023, from https://www.doj.nh.gov/consumer/security-breaches/documents/nationsbenefits-holdings-20230413.pdf
Fortra. (n.d.). HIPAA & HITECH Compliant File Transfers. goanywhere.com. Retrieved February 16, 2023, from https://www.goanywhere.com/solutions/compliance/hipaa-hitech
Gatlan, S. (2023, February 14). Healthcare giant CHS reports first data breach in GoAnywhere hacks. BleepingComputer. Retrieved February 16, 2023, from https://www.bleepingcomputer.com/news/security/healthcare-giant-chs-reports-first-data-breach-in-goanywhere-hacks/
HHS. (2023). Cases Currently Under Investigation. In Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information. U.S. Department of Health and Human Services Office for Civil Rights. Retrieved May 4, 2023, from https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
NationsBenefits. (n.d.). Notice of Fortra Data Security Incident. In NationsBenefits. Retrieved May 4, 2023, from https://nationsbenefits.com/incidentsupport
Santa Clara Family Health Plan. (n.d.). Santa Clara Family Health Plan. Retrieved May 4, 2023, from https://www.scfhp.com/
Santa Clara Family Health Plan (romanempireagency.com). (2017, October). santa-clara-white-bg-alt.png. romanempireagency.com. https://www.romanempireagency.com/wp-content/uploads/2017/10/santa-clara-white-bg-alt.png
