The number of healthcare companies to report they have been impacted by the Accellion ransomware attack is increasing, with two of the most recent victims such as Trillium Community Health Plan and Arizona Complete Health.
At the end of December, unauthorized people exploited zero-day vulnerabilities in Accellion’s old File Transfer Appliance platform and stole information from its customers before downloading CLOP ransomware.
Trillium Community Health Plan recently informed 50,000 of its members that protected health information (PHI) like names, dates of birth, addresses, health insurance ID numbers, and diagnosis and treatment data was taken by the people that launched the attack and the information was published on the internet between January 7 and January 25, 2021.
Trillium mentioned it has currently halted using Accellion, has taken out all data files stored in its systems, and has taken steps to minimize the threat of future attacks, which include going over its data-sharing processes. Trillium is providing affected members complimentary credit monitoring and identity theft protection services for 12 months.
Arizona Complete Health has advised 27,390 of its plan members regarding the data breach and the types of information that were compromised. The health plan also discontinued utilizing Accellion and took out its files from its systems and provided its plan members credit monitoring and identity theft protection services for 12 months free.
Previously, the supermarket and pharmacy firm Kroger based in Ohio announced that it was impacted by the attack, and the PHI of 368,000 clients were exposed. The University of Colorado and Southern Illinois University School of Medicine likewise mentioned they were affected.
Lawsuits Filed Against Accellion and its Customers
Several lawsuits have currently been filed against Accellion and its customers because of the breach. Centene Corp. has filed a legal case against Accellion alleging it failed to comply with several provisions of its business associate agreement (BAA). The cyberattack led to the theft of the PHI of a substantial number of its health plan members. Centene thinks it is going to suffer from considerable costs due to the breach and has made a request to the courts to order Accellion to abide by the stipulations of its BAA and pay for all breach-related costs. Cenene stated in the lawsuit that the attackers obtained 9 gigabytes of its data.
A federal lawsuit was also filed against Kroger because of the breach. The lawsuit, which seeks class-action status, claims that Kroger was negligent and had complete awareness of the potential security concerns with the legacy file transfer solution, but did not upgrade to a safer solution even after being advised by Accellion. Kroger gave its clients credit monitoring and identity theft protection services for 2 years; nevertheless, since names, addresses, birth dates, medical information, and Social Security numbers were compromised, 2 years is not regarded as enough to safeguard Kroger customers from identity theft and fraud.