Share this article on:
The number of healthcare organizations to announced they have been affected by the ransomware attack on Accellion has been increasing, with two of the latest victims including Trillium Community Health Plan and Arizona Complete Health.
In late December, unauthorized individuals exploited zero-day vulnerabilities in Accellion’s legacy File Transfer Appliance platform and stole data of its customers before deploying CLOP ransomware.
Trillium Community Health Plan recently notified 50,000 of its members that protected health information such as names, addresses, dates of birth, health insurance ID numbers, and diagnosis and treatment was obtained by the individuals behind the attack and the data was posted online between January 7 and January 25, 2021.
Trillium said it has now stopped using Accellion, has removed all data files from its systems, and has taken steps to reduce the risk of future attacks, including reviewing its data sharing processes. Trillium is offering affected members complimentary credit monitoring and identity theft protection services for 12 months.
Arizona Complete Health has notified 27,390 of its plan members that they were affected by the attack and the same types of data have been compromised. The health plan has also stopped using Accellion and removed its data from its systems and offered plan members complimentary credit monitoring and identity theft protection services for 12 months.
Previously, the Ohio-based supermarket and pharmacy chain Kroger announced that it had been affected by the attack and the protected health information of 368,000 customers had been compromised. The University of Colorado and Southern Illinois University School of Medicine have also said they have been affected.
Lawsuits Filed Against Accellion and its Customers
Multiple lawsuits have now been filed against Accellion and its customers over the breach. Centene Corp. has filed a lawsuit against Accellion alleging it refused to comply with several provisions of its business associate agreement (BAA). The cyberattack resulted in the theft of the protected health information of “a significant number” of its health plan members. Centene believes it will suffer significant costs as a result of the breach and has requested the courts order Accellion to comply with the terms of its BAA and cover all breach-related expenses. Cenene said in the lawsuit that 9 gigabytes of its data was obtained by the attackers.
A federal lawsuit has also been filed against Kroger over the breach. The lawsuit, which seeks class action status, alleges Kroger was negligent and was fully aware of the potential security issues with the legacy file transfer solution, yet failed to upgrade to a more secure solution even after being encouraged to do so by Accellion. Kroger offered its customers 2-years of credit monitoring and identity theft protection services; however, since names, addresses, dates of birth, medical information and Social Security numbers were compromised, 2 years is not viewed as anywhere close to sufficient to protect kroger customers from identity theft and fraud.