Jag_cz - stock.adobe.com
Beaumont Health Latest Victim of Accellion Data Breach
Nearly nine months after the Accellion data breach, Beaumont Health in Michigan joined a list of over 11 healthcare organizations impacted by the cyberattack.
Michigan-based Beaumont Health is the latest victim of the Accellion data breach, a December 2020 cyberattack that claimed 100 victims and counting. Millions of patients’ data were compromised when bad actors exploited zero-day vulnerabilities in Accellion’s File Transfer Application (FTA).
Law firm Goodwin Proctor notified Beaumont Health in February that patient data shared with the firm may have been compromised since the firm used Accellion’s file transfer software on behalf of Beaumont.
The health system notified approximately 1,500 patients that their data may have been compromised through this incident.
“The security incident at Accellion impacted the File Transfer software, which put a limited amount of patient information at risk. Upon learning of the issue, Goodwin immediately took the appliance offline and launched an investigation into the issue and its impact on both Goodwin and its clients,” Beaumont Health’s statement explained.
“This investigation, which is being supported by a leading forensic investigation firm, determined that certain files present on the appliance on January 20, 2021 were downloaded by an unknown user as a result of the exploitation of a previously unknown vulnerability in the Accellion appliance.”
Upon learning of the cyberattack, Beaumnt conducted its own investigation and determined on June 28 that some of the impacted information contained Beaumont patients’ protected health information (PHI).
The compromised information was limited to patients who received one of two procedures at Beaumont hospital, along with names, physician names, date of service, procedure names, and internal medical record numbers. No financial information was involved.
Goodwin began sending letters to impacted patients on behalf of Beaumont Health on August 27. The letter guides patients through steps to protect themselves against identity fraud.
“At Beaumont, protecting the privacy of personal information is a top priority,” the statement concluded.
“Beaumont is committed to maintaining the privacy of personal information in its possession and has taken precautions to safeguard it. Beaumont continually evaluates and modifies its practices and internal controls to enhance the security and privacy of personal information.”
Accellion is now facing over a dozen lawsuits as the breach tally continues to grow. The Cybersecurity and Infrastructure Security Agency (CISA) along with security agencies in the UK, New Zealand, Singapore, and Austrailia alerted organizations of the Accellion breach in February and urged businesses to be vigilant.
Clop ransomware claimed responsibility for the attack and successfully exploited four known unpatched vulnerabilities. Kroger, Bombardier, the Southern Illinois University School of Medicine, and Trillium Community Health Plan were some of the ransomware groups latest victims.
Michigan-based Trinity Health notified over 580,000 patients in April that their data was compromised during the Accellion cyberattack. The stolen data included demographic details, names, medical record numbers, and lab results.
Also in April, Centene notified over 1.3 million patients of the Accellion breach. The hackers gained access to contact details, birthdates, insurance ID numbers, and treatment information.
Clop ransomware later posted stolen data online during a mass extortion effort, and some of the impacted organizations have received emails from the attackers furthering extortion attempts. Even months after the initial breach, the number of victims continues to grow.