Flaws in a 20 year old File Transfer Appliance from Accellion caused data breaches at dozens of companies worldwide. Accellion is a software vendor with customers in healthcare, finance, telecom, education and government. It now faces at least fourteen lawsuits claiming that it failed to maintain adequate security. Some of the lawsuits from healthcare organizations also claim breach of the business associate agreement.
For healthcare customers, the flawed file transfer program contained protected health information (PHI). So when the attacks happened and PHI was stolen, those customers had to comply with the HIPAA Breach Notification Rule, notifying affected individuals, the media, and the U.S. Department of Health and Human Services (HHS). Investment of time and money came next, on a forensic analysis, internal investigations and cooperation with law enforcement.
Accellion noticed the first attack (in this recent wave) on December 16, 2020, and more were detected on January 20 and 22, 2021. A ripple effect occurred after that, as the attackers then reached dozens of Accellion customers globally over the weeks and months afterward. The criminals’ motive is extortion. They threaten publication of the data if money isn’t paid.
Victims of the Accellion Breach
Victims include the Reserve Bank of New Zealand, the state of Washington, the law firm Jones Day, Trinity Health, Stanford University School of Medicine, the University of California, and UC Davis.
Also hit were supermarket and pharmacy chain Kroger, Southern Illinois University School of Medicine; Trillium Community Health Plan in Springfield, Oregon; Canada-based Nova Scotia Health Employees’ Pension Plan and Centene Corp., among many others.
Difficult News to Deliver
UC Davis alerted its community members about threatening emails they might receive from the cyber criminals. The university posted the following:
We believe the person(s) behind this attack are sending threatening mass emails to members of the UC community in an attempt to scare people into giving them money. The message states:
“Your personal data has been stolen and will be published”
Anyone receiving this message should either forward it to your local information security office or simply delete it.
Imagine sending this to healthcare patients.
Lawsuits Start to Pile Up
One of the larger breaches occurred at Centene Corp., an Accellion customer which operates health plans. Centene has filed a lawsuit against Accellion alleging that Accellion breached its business associate agreement. To date more than 1.3 million individuals in the Centene health plans have been affected.
- Health Net Community Solutions – 687,000
- Health Net of California – 524,000
- California Health & Wellness – 80,000
- Health Net Life Insurance Co. – 27,000
What Accellion Knew and When
Accellion says that it has been trying for three years to migrate customers away from this legacy product to a newer one, and was ending support in April 2021. The migration wasn’t timely enough to prevent this train wreck though, and now Accellion will have to defend its actions in lawsuits. They may also face HIPAA enforcement from HHS.
They will need to show that their security procedures were appropriate and, as a HIPAA business associate, did they conduct a Risk Analysis? Did they comply with their business associate agreements with their healthcare customers?
Covered Entities May be Responsible Too
If the lawsuits show that Accellion was negligent because it kept a product on the market despite known security flaws, those organizations that had been warned of the security flaws and continued to use the product might also be found negligent. Covered entities should make sure their business associate due diligence is complete and their agreements are up to date to avoid becoming responsible for their vendor’s mistakes.