More Health Insurance Providers Reported Being Affected by Accellion Ransomware Attack and Multiple Lawsuits Filed

The number of healthcare providers to claim they were affected by the Accellion ransomware attack is growing, with two of the newest victims such as Trillium Community Health Plan and Arizona Complete Health.

In the later part of December, unauthorized persons took advantage of zero-day vulnerabilities in Accellion’s obsolete File Transfer Appliance platform and stole files of its clients prior to implementing CLOP ransomware.

Trillium Community Health Plan lately informed 50,000 of its members that protected health information (PHI) including names, birth dates, addresses, medical insurance ID numbers, and diagnosis and treatment information was acquired by the folks associated with the attack, and the details were shared on the web from January 7 to January 25, 2021.

Trillium reported it has already discontinued using Accellion, has taken away all data files contained in its systems, and has undertaken action to lessen the chance of future attacks, which include examining its data-sharing procedures. Trillium is giving impacted members free credit monitoring and identity theft protection services for one year.

Arizona Complete Health has advised 27,390 of its plan members regarding the attack and the types of data that were exposed. The health plan likewise ended applying Accellion and took away its records from its systems and given its plan members credit monitoring and identity theft protection services for a year at no cost.

In the past, the supermarket and pharmacy company Kroger in Ohio reported that it was affected by the ransomware attack, and the PHI of 368,000 customers was compromised. The University of Colorado and Southern Illinois University School of Medicine also claimed they were impacted.

Lawsuits Filed Versus Accellion and its Clients

Several lawsuits were already filed versus Accellion and its clients due to the breach. Centene Corp. has filed a legal action against Accellion purporting it failed to follow a number of the terms of its business associate agreement (BAA). The cyberattack ended in the stealing of the PHI of a considerable number of its health plan members. Centene states it will probably have substantial costs due to the breach and has submitted a request to the courts to order Accellion to conform to the provisions of its BAA and take care of all breach-related expenditures. Cenene mentioned in the suit that the attackers acquired 9 gigabytes of its information.

A federal lawsuit was likewise submitted against Kroger because of the breach. The lawsuit seeking class-action status states that Kroger had full awareness of the security problems with the legacy file transfer solution, yet neglected it an did not upgrade to a better solution even after being told by Accellion. Kroger provided its customers with credit monitoring and identity theft protection services for two years; nonetheless, because names, addresses, birth dates, healthcare data, and Social Security numbers were exposed, 2 years is not considered sufficient to secure Kroger clients from identity theft and fraud.