Accellion, Inc. has agreed to pay $8.1 million to settle a class action lawsuit that resulted from a December 2020 data breach. Accellion is a technology company specializing in secure file sharing and collaboration with customers in healthcare, finance, telecom, education and government around the world. The breach occurred because of security flaws in Accellion’s legacy software.
Millions of individuals had their protected health information (PHI) compromised in the breach. Patients and customers of Kroger Pharmacy, Beaumont Health, Trinity Health, Health Net and Centene Corp., among others, were affected. Lawsuits followed, including a class action by individuals filed in the U.S. District Court for the Northern District of California.
As a business associate for covered entities like Centene and Kroger, Accellion had a duty to comply with HIPAA, to maintain proper data security practices and to monitor for security vulnerabilities. The lawsuits complained Accellion failed to have basic cybersecurity defenses in place, and failed to update and patch its software, leaving customers vulnerable to hacking.
Ultimately, the data breach at Accellion involved zero-day vulnerabilities in the company’s file sharing program. The class action lawsuit claimed that Accellion was not only aware of the risks and vulnerabilities presented by its outdated software, but also failed to take action to keep its file transfer platform secure. Since Accellion had not corrected the flaw in its program, hackers were able to exploit the vulnerability as customers continued to use it. Although Accellion later replaced the flawed program with a newer version, it continued to allow customers to renew their licenses on the outdated one that was less secure.
The class members alleged that Accellion violated the Washington Consumer Protection Act, the California Consumer Privacy Act, North Carolina Unfair Deceptive Trade Practices Act, and other consumer protection statutes. HIPAA is a federal law and does not provide a private right to sue by individuals, but states have consumer protection and privacy laws that lawyers can use.
Business Associate Due Diligence
In addition to the class action lawsuit by the millions of individuals affected, Accellion also faced numerous lawsuits from covered entity customers, like Centene, who claimed Accellion did not comply with its business associate agreement. Centene claimed the Accellion hack would cause it to incur significant costs, including remediation, mitigation, victim and regulator notification and attorneys’ fees. The lawsuit asked the court to order Accellion to comply with the terms of its business associate agreement and reimburse Centene for all breach-related expenses.
Although it was Accellion’s failure to patch known vulnerabilities that led to the ransomware attack, covered entities like Centene, Kroger Pharmacy and Trinity Health are responsible for ensuring their business associates provide the necessary protection when handling PHI. Ultimately, covered entities can be found liable for data breaches caused by their business associates, which is why it’s crucial for them to update their due diligence with business associates regularly and make sure their BA agreement is current.