Great Valley Cardiology says GoAnywhere software hack compromised the data of 181k patients

Scranton, Pennsylvania-based Commonwealth Health Physician Network - Cardiology,  also known as Great Valley Cardiology, suffered a significant data breach that compromised the sensitive personal information of more than 180,000 individuals.

The healthcare provider said in a notice posted on its website that it received information from third-party software provider Fortra on February 2 that threat actors exploited a zero-day vulnerability in the vendor’s GoAnywhere MFT software that Great Valley Cardiology used to securely transfer files.

After learning about the cyber security incident, the healthcare provider immediately launched an investigation to understand its impact on its systems and operations.

“CHSPSC has determined at this point in its investigation that CHSPSC Affiliate personal information relating to patients, a limited number of employees, and other individuals may have been disclosed to the unauthorised party as a result of the Fortra incident,” it said.

Great Valley Cardiology added that the compromised information included patients’ full names, dates of birth, addresses, social security numbers, medical billing and insurance information, diagnoses and medication information.

CHSPSC, along with Fortra, is working with law enforcement authorities, such as the FBI and the Cybersecurity and Infrastructure Security Agency (CISA), to investigate the incident further.

While the company’s notice doesn’t mention the number of affected individuals, a filing with the U.S. Department of Health and Human Services Office for Civil Rights mentions that at least 181,764 people were affected by the security incident.

“To protect against an incident like this from reoccurring, Fortra informed us that it has deleted the unauthorised party’s accounts, rebuilt the secure file transfer platform with system limitations and restrictions, and produced a patch for the software,” the Commonwealth Health Physician Network added.

“CHSPSC has also implemented additional security measures, including immediate steps to implement measures to harden the security of CHSPSC’s use of the GoAnywhere platform.”

CHSPSC is offering a complimentary two years of ID restoration and credit monitoring services through Experian to all affected individuals. It has also set up a dedicated hotline to assist all impacted individuals in getting their queries resolved.