Nova Scotia Health Says 100,000 Affected by MOVEit HackHealthcare Sector Poised for Tide of Breaches Linked to the MOVEit Vulnerability
Hackers stole personal information of up to 100,000 employees of Nova Scotia Health by exploiting the zero-day in Progress Software's MOVEit managed file transfer application.
See Also: 2022 Unit 42 Incident Response Report
The announcement from the women's and children's health center likely presages further data breach announcements from health sector organizations that ransomware hackers obtained data by exploiting a now-patched vulnerability in the software.
"Due to its wide footprint, exploitation of this vulnerability can greatly impact the healthcare and public health sector," the U.S. Department of Health and Human Services' Health Sector Cybersecurity Coordination Center warned in an alert late Friday.
The government of Nova Scotia, a Maritime province on Canada's east coast, uses the MOVEit service to transfer employee payroll information.
"Right now, all we can confirm is that the personal information of up to 100,000 past and present employees of Nova Scotia Health, the IWK Health Center and the public service has been stolen," a Nova Scotia government spokesperson told Information Security Media Group.
"This number could change. It could go up or down. Our investigation is ongoing, and we will continue to update the public as more information is available." Patient information appears unaffected, the spokesperson said.
The investigation into the incident determined that compromised employee information includes social insurance numbers, addresses and banking information, Nova Scotia's cybersecurity and digital solutions service said in a statement issued on Tuesday.
The Clop ransomware-as-a-service gang earlier this week asserted it was behind the spate of attacks exploiting the MOVEit vulnerability, which Progress Software patched on May 31 (see: Clop Ransomware Gang Asserts It Hacked MOVEit Instances).
According to Progress Software, hundreds of healthcare and public health sector entities, from hospitals and clinics to insurance groups, use MOVEit for the transfer of files. That includes file transfer for healthcare billing, insurance eligibility inquiries, healthcare claims, audit logs, appointment reminders, patient surveys and patient retrieval of medical records.
"Sensitive information such as medical records, bank records, Social Security numbers, and addresses are at risk if this vulnerability is leveraged. The targeted organization could be subject to extortion by financially motivated threat groups," the federal government said. It advised healthcare and public health sector entities using MOVEit to take "immediate action."
The Clop ransomware gang has warned that it will begin posting the names of victims starting on Wednesday unless it hears from them first. It also asserted that it had erased data obtained from "government, city or police service" sources since "We have no interest to expose such information."
The exploitation of MOVEit has been very broad, some security experts said. "An example of sectors that we are investigating intrusions at include manufacturing, higher education, defense contractors, healthcare, state government, energy, finance, etc.," said Charles Carmakal, chief technology officer at Mandiant Consulting, a unit of Google Cloud, that has been tracking the MOVEit attacks.
The situation with MOVEit follows a string of similar attacks earlier this year involving a vulnerability in another secure file transfer application, Fortra's GoAnywhere MFT (see: Fortra Hacker Installed Tools on Victim Machines).
"Both technologies were mass exploited as a zero-day vulnerability by FIN11," Carmakal told ISMG. "The threat actor stole data from several customers in both situations."
Compromising managed file transfer platforms is attractive to threat actors because organizations often use these applications to store and transfer sensitive data to their partners and customers, Carmakal said.
"Vendors try to make them as secure as possible, but there will always be an ongoing race between threat actors and software vendors," he said.