Community Health Systems Inc. data breach affects 1 million patients

Community Health Systems Inc. has informed the stock exchanges about a data breach that was uncovered recently. This data breach has resulted due to GoAnywhere MFT vulnerability. We look at the details of this cyber incident below.

• Community Health Systems uses GoAnywhere secure managed file transfer (MFT).
• GoAnywhere is provided to Community Health Systems by third-party solution provider Fortra LLC.
• GoAnywhere software has a zero-day vulnerability CVE-2023-0669. The vulnerability was disclosed by Fortra on 1st February. It was added to the Known Exploited Vulnerabilities Catalog of CISA on 2nd February 2023.
• The fix for this vulnerability was provided after a week of vulnerability disclosure.
• There has been a spate of cyber attacks in the last week as threat actors exploit the zero-day threat in GoAnywhere MFT.

As we can see, GoAnywhere MFT vulnerability led to the recent attack on the infrastructure of Community Health Systems Inc.

The company filed an 8K filing (SEC filing) with the stock market regulator. The exact details of the issue that have been shared by the Community Health Systems are given below:

• The cyber attack has led to the breach of the personally identifiable information (PII) and ‘Protected Health Information” (PIH) of patients under the HIPAA provisions.
• It is unclear if the exploited data includes personal details, financial details, and healthcare records of the patients.
• As of writing this, patients data of over 1 million subscribers has been accessed by the attackers.
• A full-scale audit is in progress about the scope and scale of this cyber attack. A final number and complete impact summary may be known after the investigation is fully complete.
• Meanwhile, Community Health Systems has mentioned that its business operations and patient care have remained unaffected by the data breach.

If you are a user who has been affected by this data breach at Community Health Systems, the following significant points must be studied:

• Community Health Systems (CHS) is sending notifications to the affected users.
• CHS will offer identity theft protection services to the affected users.
• Affected users will also be entitled to receive free cyber and privacy liability insurance. However, CHS expects that the losses arising out of this data breach may not be fully met by the insurance amounts.
• Any additional expenses on account of the credit liabilities of the affected users are unknown at this point.
• The financial impact of this data breach cannot be forecast at this point until the audit and investigation of the scale of the data breach are completed.

For any clarifications, you can contact the CHS team directly through the website.

The initial impression from this data breach indicates that the impact and extent of this breach may not be fully understood till the audit and investigation of the cyber attack has been finalized.

About Community Health Systems

Community Health Systems is one of the nation’s leading healthcare providers. Developing and operating healthcare delivery systems in 47 distinct markets across 16 states, CHS is committed to helping people get well and live healthier. CHS operates 79 acute-care hospitals and more than 1,000 other sites of care, including physician practices, urgent care centers, freestanding emergency departments, occupational medicine clinics, imaging centers, cancer centers and ambulatory surgery centers.

Community Health Systems trades on the New York Stock Exchange (NYSE). After the data breach was intimated last night, the stock has responded negatively and went down by as much as 15 percent over yesterday’s closing price.