586K Trinity Health Patients Added to Accellion Tally, as Lawsuits Pile Up

Michigan-based Trinity Health recently notified 586,869 patients that their data was compromised during the hack on Accellion’s File Transfer Application (FTA). As the breach tally continues to expand, the vendor now faces at least 14 separate lawsuits.

Trinity Health is a business associate that provides IT services for current and certain former hospitals and providers, such as email services.

First alerted to in February, Clop ransomware threat actors exploited four known, unpatched vulnerabilities in the FTA platform and gained access to the system for a number of days.  The attackers stole troves of client data during the incident.

While it was initially unclear of the hackers’ intent, Accellion clients began receiving extortion emails in January. The attackers threatened to publish the stolen data, if the victims did not pay the demands. At least 100 companies have been impacted by the hack, so far.

Trinity Health’s incident was added to the Department of Health and Human Services’ breach reporting tool this week, following reports from four Centene subsidiaries that about 1.3 million of its patients were also impacted by the massive Accellion incident.

Kroger, Trillium Community Health Plan, and the Southern Illinois University School of Medicine, along with a range of other companies have also been affected.

Accellion notified Trinity Health on January 29 that a security issue with its FTA platform resulted in an attacker downloading its data a week earlier. Upon discovery, Trinity Health took the service offline and launched its own investigation.

The stolen data involved some protected health information that varied by patient, including names, demographic details, names, contact details, provider names, medical record numbers, datas and types of services, claims data, immunization type, lab results, medications, payments, and payer names.

For some patients, Social Security numbers and credit card numbers were compromised.

The investigation into the incident is ongoing. Trinity Health has since terminated access and use of the FTA appliance, while working with Accellion to investigate the incident. Officials said they’ve also confirmed the security of its network, as they continue to further evaluate enterprise security measures.

It’s the second vendor-related breach reported by Trinity Health in the last six months. The 2020 Blackbaud incident impacted the data of more than 3.3 million Trinity Health patients: the largest healthcare provider affected by the attack, overall.

As the number of victims continues to trickle in, the breadth and scope of the Accellion incident bears hallmark to the Blackbaud incident -- highlighting the need for entities to review vendor management processes.

In the incident's wake, Accellion is facing at least 14 separate lawsuits led by some of the largest victims, including Kroger, Centene, and Washington state, among others. Patients filed a lawsuit against Kroger for the Accellion hack, as well. Some victims are seeking to merge the lawsuits into one class action suit.

The lawsuit highlights the company’s own description of its FTA to further its argument, including that the firewall “prevents data breaches” and provides enterprise security leaders with visibility, security, and control over file sharing processes.

Further, the lawsuits claim Accellion was aware of the risks posed by use of the “outdated legacy product,” as it was nearing end-of-life and therefore vulnerable to compromise.

For a number of years, customers had been encouraged to update to the vendor’s newer secure filing sharing program, kiteworks, as the platform would add a critical layer of security.

“Even Accellion itself recognizes that its FTA program is inadequate to keep files transfers secure, admitting that ‘in today’s breach-filled, over-regulated world, you need broader protection and control’ than FTA can offer,” according to the lawsuit.

“[Accellion] was aware that FTA was an inadequately secure product, yet sold this vulnerable product… for the transfer of personal information,” the lawsuit adds. “[Accellion’s] failure to ensure the FTA provided adequate security protocols jeopardized the personal information of millions… and also fell short of reasonable expectations for protection of their information.”

The victims argue that the security incident has caused actual damages, while putting individuals at an imminent risk of future harm. As such, the breach victims are seeking redress for Accellion’s “unlawful conduct.”

Data breach lawsuits are par for the course in the recent threat landscape, with no clear pattern on resolutions. Many are settled out of court, while some judges require victims to fully demonstrate incidents pose “actual harm." to victims.

Accellion has provided all victims with security insights into the incident, for transparency purposes.