Millions of people in the US had masses of personal and health information stolen in a massive hack targeting dozens of companies, including healthcare providers, according to new filings with the federal government.
NationBenefits, a Florida-based technology company that provides additional benefits to its more than 20 million members in the US, confirmed in April that hackers had stolen member data as a result of a massive ransomware attack targeting customers using Fortra’s GoAnywhere file transfer software.
At the time, NationBenefits confirmed that the personal information of more than 7,100 residents of the state had been stolen in the cyberattack, but the full number of people affected was not known.
Now, a listing on the U.S. Department of Health’s data breach portal confirms that data was stolen from more than three million NationBenefits members in the incident, making it the third-largest health data breach of 2023 so far.
When reached by TechCrunch, NationBenefits spokesperson Kal Gajraj declined to say what types of data had been stolen. However, NationBenefits is currently listed on the dark web leak site of the Clop ransomware gang, which claimed responsibility for the Fortra attacks. Examples of the stolen data, seen by TechCrunch, include customer databases containing members’ names, addresses, phone numbers, dates of birth, gender, marital status, and insurance information.
NationBenefits is one of many healthcare providers whose Fortra-hosted systems were raided by hackers.
The hackers also hit Brightline, a virtual coaching and therapy provider for children. Brightline has yet to confirm how many of its patients have been affected, but the Department of Health’s breakthrough portal suggests that more than 960,000 of the company’s pediatric psychiatric patients had data stolen in the cyberattack. In a post on its website, Brightline — which has repeatedly declined to answer TechCrunch’s questions — said that this information includes protected health and personal information.
US healthcare giant Community Health Systems was the first to confirm in February that hackers had stolen data from its Fortra system. In a message, the healthcare provider said hackers had access to the personal data of at least one million patients.