Governance & Risk Management , Legislation & Litigation , Patch Management

Federal Lawsuits in Fortra Health Data Breach Piling Up

Several Proposed Class Actions Filed Against NationsBenefits, Aetna, Others
Federal Lawsuits in Fortra Health Data Breach Piling Up
NationsBenefits Holdings and Aetna are among health sector companies facing data breach lawsuits involving the exploitation of a Fortra GoAnywhere security flaw. (Image: NationsBenefits, Aetna)

Proposed class action lawsuits are piling up in federal courts over hackers' use of a vulnerability in Fortra's GoAnywhere secure file transfer and a resulting health data breach affecting more than 3 million individuals.

See Also: OnDemand | Protect and Govern Sensitive Data

Florida third-party benefits administrator NationsBenefits Holdings disclosed in April that months earlier hackers had accessed personal information by using the widely exploited flaw (see: Clop GoAnywhere Attacks Have Now Hit 130 Organizations).

As of Monday, plaintiffs have filed at least seven GoAnywhere-related lawsuits against NationsBenefits, including six in the U.S. District Court for the Southern District of Florida.

At least two of the proposed class actions filed against NationsBenefits - one in Florida and one in North Carolina - also name health insurer Aetna as a co-defendant.

Aetna is named sole defendant in a third proposed class action lawsuit involving GoAnywhere hacking, filed last week in the U.S. District Court for the District of Connecticut by a health plan member on behalf of herself and an alleged estimated 3 million others similarly situated.

The lawsuits all make similar allegations, ranging from negligence and breach of fiduciary duty to violations of state consumer protection laws.

They seek relief including actual and punitive damages as well as injunctive relief to order the companies to implement security measures to prevent similar incidents.

Besides Aetna, another NationsBenefits client - Santa Clara Family Health Plan - separately in March reported to HHS' Office for Civil Rights a hacking incident affecting 277,000 individuals that also involved benefits administrator NationsBenefits and the Fortra compromise.

Santa Clara Family Health Plan is also named a co-defendant with NationsBenefits in at least one of the six federal lawsuits filed in Florida (see: Fortra GoAnywhere-Related Health Data Breach Tally Climbs).

NationsBenefits did not immediately respond to Information Security Media Group's request for comment on the lawsuits. Santa Clara Family Health Plan said it does not comment on pending litigation.

Aetna, in a statement to ISMG, said, "nothing is more central to us than protecting the privacy and security of our members' information" and that the company will defend itself against this litigation.

Additional healthcare sector entities and insurers have also reported Fortra-related breaches in recent months and weeks, including Blue Shield of California and virtual therapy provider Brightline (see: Health Plan, Mental Health Provider Hit by GoAnywhere Flaw).

Breach Details

The vulnerability in GoAnywhere MFT is a pre-authentication remote code execution flaw allowing attackers to exploit the flaw and remotely execute code without having to first authenticate in the administrative console.

For the attack to succeed, the administrative console must be exposed to the internet. The first known attacks to exploit the flaw began Jan. 25. On Feb. 1, Fortra issued a security alert and mitigation instructions. On Feb. 7, it released version 7.1.2 of GoAnywhere MFT, which patches the flaw.

The Cybersecurity and Infrastructure Security Agency and other federal agencies have urged GoAnywhere MFT users to immediately patch their software.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.