HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

More Health Insurers Confirmed as Victims of Accellion Ransomware Attack and Multiple Lawsuits Filed

The number of healthcare organizations to announced they have been affected by the ransomware attack on Accellion has been increasing, with two of the latest victims including Trillium Community Health Plan and Arizona Complete Health.

In late December, unauthorized individuals exploited zero-day vulnerabilities in Accellion’s legacy File Transfer Appliance platform and stole data of its customers before deploying CLOP ransomware.

Trillium Community Health Plan recently notified 50,000 of its members that protected health information such as names, addresses, dates of birth, health insurance ID numbers, and diagnosis and treatment was obtained by the individuals behind the attack and the data was posted online between January 7 and January 25, 2021.

Trillium said it has now stopped using Accellion, has removed all data files from its systems, and has taken steps to reduce the risk of future attacks, including reviewing its data sharing processes. Trillium is offering affected members complimentary credit monitoring and identity theft protection services for 12 months.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

Arizona Complete Health has notified 27,390 of its plan members that they were affected by the attack and the same types of data have been compromised. The health plan has also stopped using Accellion and removed its data from its systems and offered plan members complimentary credit monitoring and identity theft protection services for 12 months.

Previously, the Ohio-based supermarket and pharmacy chain Kroger announced that it had been affected by the attack and the protected health information of 368,000 customers had been compromised. The University of Colorado and Southern Illinois University School of Medicine have also said they have been affected.

Lawsuits Filed Against Accellion and its Customers

Multiple lawsuits have now been filed against Accellion and its customers over the breach. Centene Corp. has filed a lawsuit against Accellion alleging it refused to comply with several provisions of its business associate agreement (BAA). The cyberattack resulted in the theft of the protected health information of “a significant number” of its health plan members. Centene believes it will suffer significant costs as a result of the breach and has requested the courts order Accellion to comply with the terms of its BAA and cover all breach-related expenses. Cenene said in the lawsuit that 9 gigabytes of its data was obtained by the attackers.

A federal lawsuit has also been filed against Kroger over the breach. The lawsuit, which seeks class action status, alleges Kroger was negligent and was fully aware of the potential security issues with the legacy file transfer solution, yet failed to upgrade to a more secure solution even after being encouraged to do so by Accellion. Kroger offered its customers 2-years of credit monitoring and identity theft protection services; however, since names, addresses, dates of birth, medical information and Social Security numbers were compromised, 2 years is not viewed as anywhere close to sufficient to protect kroger customers from identity theft and fraud.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.