Federal Lawsuits in Fortra Health Data Breach Piling Up

Proposed class action lawsuits are piling up in federal courts over hackers’ use of a vulnerability in Fortra’s GoAnywhere secure file transfer and a resulting health data breach affecting more than 3 million individuals.

See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources

Florida third-party benefits administrator NationsBenefits Holdings disclosed in April that months earlier hackers had accessed personal information by using the widely exploited flaw (see: Clop GoAnywhere Attacks Have Now Hit 130 Organizations).

As of Monday, plaintiffs have filed at least seven GoAnywhere-related lawsuits against NationsBenefits, including six in the U.S. District Court for the Southern District of Florida.

At least two of the proposed class actions filed against NationsBenefits – one in Florida and one in North Carolina – also name health insurer Aetna as a co-defendant.

Aetna is named sole defendant in a third proposed class action lawsuit involving GoAnywhere hacking, filed last week in the U.S. District Court for the District of Connecticut by a health plan member on behalf of herself and an alleged estimated 3 million others similarly situated.

The lawsuits all make similar allegations, ranging from negligence and breach of fiduciary duty to violations of state consumer protection laws.

They seek relief including actual and punitive damages as well as injunctive relief to order the companies to implement security measures to prevent similar incidents.

Besides Aetna, another NationsBenefits client – Santa Clara Family Health Plan – separately in March reported to HHS’ Office for Civil Rights a hacking incident affecting 277,000 individuals that also involved benefits administrator NationsBenefits and the Fortra compromise.

Santa Clara Family Health Plan is also named a co-defendant with NationsBenefits in at least one of the six federal lawsuits filed in Florida (see: Fortra GoAnywhere-Related Health Data Breach Tally Climbs).

NationsBenefits did not immediately respond to Information Security Media Group’s request for comment on the lawsuits. Santa Clara Family Health Plan said it does not comment on pending litigation.

Aetna, in a statement to ISMG, said, “nothing is more central to us than protecting the privacy and security of our members’ information” and that the company will defend itself against this litigation.

Additional healthcare sector entities and insurers have also reported Fortra-related breaches in recent months and weeks, including Blue Shield of California and virtual therapy provider Brightline (see: Health Plan, Mental Health Provider Hit by GoAnywhere Flaw).

Breach Details

The vulnerability in GoAnywhere MFT is a pre-authentication remote code execution flaw allowing attackers to exploit the flaw and remotely execute code without having to first authenticate in the administrative console.

For the attack to succeed, the administrative console must be exposed to the internet. The first known attacks to exploit the flaw began Jan. 25. On Feb. 1, Fortra issued a security alert and mitigation instructions. On Feb. 7, it released version 7.1.2 of GoAnywhere MFT, which patches the flaw.

The Cybersecurity and Infrastructure Security Agency and other federal agencies have urged GoAnywhere MFT users to immediately patch their software.