HIPAA Horror Stories

Legacy Software Nightmare

one-minute read

Update June 2, 2021

Flaws in a 20 year old File Transfer Appliance from Accellion caused data breaches at dozens of companies worldwide. Accellion is a software vendor with customers in healthcare, finance, telecom, education and government. It now faces at least fourteen lawsuits claiming that it failed to maintain adequate security. Some of the lawsuits from healthcare organizations also claim breach of the business associate agreement.

For healthcare customers, the flawed file transfer program contained protected health information (PHI). So when the attacks happened and PHI was stolen, those customers had to comply with the HIPAA Breach Notification Rule, notifying affected individuals, the media, and the U.S. Department of Health and Human Services (HHS). Investment of time and money came next, on a forensic analysis, internal investigations and cooperation with law enforcement.

Accellion noticed the first attack (in this recent wave) on December 16, 2020, and more were detected on January 20 and 22, 2021. A ripple effect occurred after that, as the attackers then reached dozens of Accellion customers globally over the weeks and months afterward. The criminals’ motive is extortion. They threaten publication of the data if money isn’t paid.

Victims of the Accellion Breach

Victims include the Reserve Bank of New Zealand, the state of Washington, the law firm Jones Day, Trinity Health, Stanford University School of Medicine, the University of California, and UC Davis.

Also hit were supermarket and pharmacy chain Kroger, Southern Illinois University School of Medicine; Trillium Community Health Plan in Springfield, Oregon; Canada-based Nova Scotia Health Employees’ Pension Plan and Centene Corp., among many others.

As of June 2, 2021, the total number of individuals whose PHI was stolen is 3.47 million.

Kroger Pharmacy: 1,474,284

Health Net: 1,236,902

Trinity Health (Livonia, Mich.): 586,869

California Health & Wellness: 80,138

Trillium Health Plan: 50,000

Arizona Complete Health: 27,390

CalViva: 15,287

Difficult News to Deliver

UC Davis alerted its community members about threatening emails they might receive from the cyber criminals. The university posted the following:

We believe the person(s) behind this attack are sending threatening mass emails to members of the UC community in an attempt to scare people into giving them money. The message states:

“Your personal data has been stolen and will be published”

Anyone receiving this message should either forward it to your local information security office or simply delete it.

Imagine sending this to healthcare patients.

Lawsuits Start to Pile Up

One of the larger breaches occurred at Centene Corp., an Accellion customer which operates health plans. Centene has filed a lawsuit against Accellion alleging that Accellion breached its business associate agreement. To date more than 1.3 million individuals in the Centene health plans have been affected.

Among them:

  • Health Net Community Solutions – 687,000
  • Health Net of California – 524,000
  • California Health & Wellness – 80,000
  • Health Net Life Insurance Co. – 27,000

What Accellion Knew and When

Accellion says that it has been trying for three years to migrate customers away from this legacy product to a newer one, and was ending support in April 2021. The migration wasn’t timely enough to prevent this train wreck though, and now Accellion will have to defend its actions in lawsuits. They may also face HIPAA enforcement from HHS.

They will need to show that their security procedures were appropriate and, as a HIPAA business associate, did they conduct a Risk Analysis? Did they comply with their business associate agreements with their healthcare customers?

Covered Entities May be Responsible Too

If the lawsuits show that Accellion was negligent because it kept a product on the market despite known security flaws, those organizations that had been warned of the security flaws and continued to use the product might also be found negligent. Covered entities should make sure their business associate due diligence is complete and their agreements are up to date to avoid becoming responsible for their vendor’s mistakes.

Don’t become a HIPAA Horror Story! HIPAA compliance is easy, when you know the rules.

Request A Demo

Copyright © 2023 ET&C Group LLC.

The HIPAA E-Tool® and Protecting Patient Privacy is Our Job®
are registered trademarks of ET&C Group LLC

Terms of Use | Privacy Policy | Cookies Policy | Privacy Settings | HTML/XML Sitemap

Mailing Address
The HIPAA E-Tool
PO Box 179104
St. Louis, MO 63117-9104

8820 Ladue Road Suite 200
St. Louis, MO 63124

Powered by JEMSU