In January 2023, Fortra’s GoAnywhere MFT file transfer software—a tool widely used by healthcare and financial institutions—was exploited by the Clop ransomware group, a Russian-based cybercriminal operation. The attack leveraged a zero-day vulnerability, enabling hackers to infiltrate systems and exfiltrate personal health information (PHI) of at least 5 million individuals. The breach also impacted 130 organizations, including major entities like Aetna, Community Health Systems, and NationsBenefits, exposing them to litigation. The incident led to a $20 million class-action settlement (alongside a prior $7 million subclass settlement), covering monetary compensation (up to $5,000 per victim or a flat $85), dark web monitoring, and mandated cybersecurity enhancements by defendants. The breach underscored critical failures in vulnerability management, with plaintiffs alleging negligence in safeguarding sensitive health data from unauthorized access.
TPRM report: https://www.rankiteo.com/company/fortra
"id": "for5993659092925",
"linkid": "fortra",
"type": "Ransomware",
"date": "1/2023",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '130+ organizations (including '
'Aetna, Community Health '
'Systems, NationsBenefits)',
'industry': 'Cybersecurity/File Transfer',
'name': 'Fortra',
'type': 'Software Provider'},
{'industry': 'Healthcare',
'name': 'Aetna',
'type': 'Health Insurance'},
{'industry': 'Healthcare',
'name': 'Community Health Systems',
'type': 'Healthcare Provider'},
{'industry': 'Healthcare',
'name': 'NationsBenefits',
'type': 'Health Benefits Administrator'},
{'name': 'Brightline'},
{'name': 'Intellihartx'},
{'name': 'Imagine360'}],
'attack_vector': "Exploitation of a zero-day vulnerability in Fortra's "
'GoAnywhere MFT software',
'customer_advisories': 'Dark web monitoring offered to settlement class '
'members (excluding Brightline subclass)',
'data_breach': {'data_exfiltration': True,
'number_of_records_exposed': '5,000,000+',
'personally_identifiable_information': True,
'sensitivity_of_data': 'High (health data)',
'type_of_data_compromised': 'Personal Health Information '
'(PHI)'},
'date_detected': '2023-01',
'description': 'A massive data breach linked to the Clop ransomware group, a '
'Russian-based operation, which exploited a zero-day '
"vulnerability in Fortra's GoAnywhere MFT software. The breach "
'resulted in the theft of personal health information (PHI) of '
'at least 5 million individuals and affected approximately 130 '
'organizations, including major health and financial '
'institutions like Aetna, Community Health Systems, and '
'NationsBenefits. The incident led to multidistrict litigation '
'in the U.S. District Court for the Southern District of '
'Florida, culminating in a $20 million global settlement (in '
'addition to a prior $7 million settlement with a subclass of '
'plaintiffs).',
'impact': {'brand_reputation_impact': 'Significant (led to class-action '
'litigation and regulatory scrutiny)',
'data_compromised': 'Personal health information (PHI) of at least '
'5 million individuals',
'financial_loss': '$27 million (total settlements: $20M global + '
'$7M Brightline subclass)',
'identity_theft_risk': 'High (PHI of 5M+ individuals exposed)',
'legal_liabilities': '$27 million in settlements, potential '
'ongoing legal risks',
'systems_affected': 'Fortra GoAnywhere MFT software used by ~130 '
'organizations'},
'initial_access_broker': {'entry_point': 'Zero-day vulnerability in '
'GoAnywhere MFT software',
'high_value_targets': 'Health and financial '
'institutions (e.g., Aetna, '
'Community Health Systems)'},
'investigation_status': 'Resolved (settlement approved in 2024)',
'lessons_learned': 'Proactive cybersecurity investment and vulnerability '
'monitoring are critical, especially for organizations '
'handling sensitive data (e.g., healthcare). Regulators '
'and courts are increasingly scrutinizing data protection '
'practices.',
'motivation': 'Financial gain (ransomware attack and data exfiltration)',
'post_incident_analysis': {'corrective_actions': ['Enhanced cybersecurity '
'measures by defendants '
'(e.g., Fortra, '
'NationsBenefits)',
'$27 million in settlements '
'to affected parties',
'Dark web monitoring for '
'class members'],
'root_causes': 'Exploitation of unpatched zero-day '
'vulnerability in critical file '
'transfer software'},
'ransomware': {'data_exfiltration': True, 'ransomware_strain': 'Clop'},
'recommendations': ['Monitor and patch zero-day vulnerabilities promptly',
'Enhance cybersecurity measures for file transfer systems',
'Prepare for class-action litigation risks in data breach '
'scenarios',
'Implement dark web monitoring for affected individuals',
'Ensure compliance with healthcare data protection '
'regulations'],
'references': [{'source': 'Duane Morris Class Action Weekly Wire Podcast'},
{'source': 'In Re Fortra File Transfer Software Data Breach '
'Security Litigation (U.S. District Court, Southern '
'District of Florida)'}],
'regulatory_compliance': {'legal_actions': 'Class-action litigation (In Re '
'Fortra File Transfer Software '
'Data Breach Security Litigation)'},
'response': {'communication_strategy': 'Class-action litigation settlements '
'($20M global fund + $7M subclass), '
'dark web monitoring for affected '
'individuals',
'enhanced_monitoring': 'Confirmed by defendants post-settlement',
'incident_response_plan_activated': True,
'remediation_measures': 'Defendants (Fortra, NationsBenefits, '
'etc.) attested to enhancing '
'cybersecurity post-breach'},
'threat_actor': 'Clop Ransomware Group (Russian-based operation)',
'title': 'Fortra GoAnywhere MFT Data Breach (Clop Ransomware Attack)',
'type': ['Data Breach', 'Ransomware Attack'],
'vulnerability_exploited': 'Zero-day vulnerability in GoAnywhere MFT (Managed '
'File Transfer) software'}