Millions of patients’ data confirmed stolen after Fortra mass-hack

Millions of people across the U.S. had reams of personal and health information stolen in a mass-hack targeting dozens of companies, including healthcare providers, according to new filings with the federal government.

NationBenefits, a Florida-based technology company that offers supplementary benefits to its 20 million-plus members across the U.S., confirmed in April that hackers had stolen member data as the result of a mass ransomware attack targeting customers who used Fortra’s GoAnywhere file-transfer software.

At the time, NationBenefits confirmed that more than 7,100 state residents had their personal information stolen in the cyberattack, but the full number of affected individuals was not known.

Now, a listing on the U.S. Department of Health’s data breach portal confirms that more than three million NationBenefits members had data stolen in the incident, making it the third largest health data-related breach of 2023 so far.

When reached by TechCrunch, NationBenefits spokesperson Kal Gajraj declined to say what types of data was stolen. However, NationBenefits is currently listed on the dark web leak site of the Clop ransomware gang, which claimed responsibility for the Fortra attacks. Samples of the stolen data, seen by TechCrunch, includes customer databases that include members’ names, addresses, phone numbers, dates of birth, gender, marital status and insurance details.

NationBenefits is one of several healthcare providers whose Fortra-hosted systems were raided by hackers.

The hackers also hit Brightline, a virtual coaching and therapy provider for children. Brightline has yet to confirm how many of its patients have been impacted, but the Department of Health’s breach portal suggests more than 960,000 of the company’s pediatric mental health patients had data stolen in the cyberattack. In a notice on its website, Brightline — which has repeatedly refused to answer TechCrunch’s questions — said this information includes protected health and personal information.

U.S. healthcare giant Community Health Systems in February was the first to confirm that hackers had stolen data from its Fortra system. In a notice, the healthcare provider said hackers had accessed the personal data of at least one million patients.