Multiple Lawsuits Filed by Victims of Accellion Ransomware Attack

The number of healthcare groups to reveal that they have been impacted by the ransomware attack on Accellion has grown, with two of the most recent victims listed as Trillium Community Health Plan and Arizona Complete Health.

In December 2020, unauthorized people targeted zero-day vulnerabilities in Accellion’s legacy File Transfer Appliance platform and illegally removed data of its customers before deploying CLOP ransomware.

Trillium Community Health Plan recently made contact with 50,000 of its members and informed them that protected health information including names, addresses, dates of birth, health insurance ID numbers, and diagnosis and treatment information was stolen and data was published online between January 7 and January 25, 2021.

Trillium said it has now brought an end to using Accellion, has deleted all data files from its databases, and has taken steps to eliminate the risk of anymore attacks, including reviewing its data sharing procedures. Trillium is providing impacted members with free credit monitoring and identity theft protection services for one year.

Arizona Complete Health has contacted 27,390 of its plan members that they were impacted by the attack and the same types of data have been infiltrated. The health plan is no longer using Accellion and deleted its data from its systems and offered plan members free credit monitoring and identity theft protection services for one year.

The Ohio-based supermarket and pharmacy chain Kroger has also announced it had been impacted by the attack and the protected health information of 368,000 customers was potentially compromised. The University of Colorado and Southern Illinois University School of Medicine have also said they have been impacted.

Legal action is being taken against Accellion and its customers over the breach. Centene Corp. has filed a lawsuit against Accellion alleging it refused to comply with several provisions of its business associate agreement (BAA). The cyberattack led to the theft of the protected health information of “a significant number” of its health plan members. Centene is of the opinion that it will record a massive financial hit due to the breach and has requested the courts order Accellion to adhere with the terms of its BAA and cover all breach-related expenses. Cenene said in the legal action that 9 gigabytes of its data was obtained by the hackers.

A federal legal action also been submitted against Kroger in relation to the breach. The lawsuit, which is requesting class action status, claims Kroger was partly to blame and was 100% aware of the possible security problems with the legacy file transfer solution, yet did not upgrade to a safer solution even after being asked to do so by Accellion. Kroger provided its customers with two-years of free credit monitoring and identity theft protection services; however, since names, addresses, dates of birth, medical data and Social Security numbers were impacted, two years is not believed to be sufficient by the plaintiffs to protect them against identity theft and fraud.

Author: Maria Perez