Over half a million Trinity Health patients affected in data breach
by Emma Contreras
Trinity Health recently confirmed that 586,869 patients were affected by a large-scale data breach. As one of the largest multi-institutional healthcare delivery systems in the nation, Trinity Health serves over 30 million patients across 22 states.
The data breach started when hackers illicitly accessed patient files that were hosted on Accellion’s file transfer platform. Accellion, Trinity’s business associate, is a California-based technology company that specializes in secure file sharing and collaboration products that are utilized by over 3,000 businesses and government agencies.
The Michigan-based healthcare provider has been added to a lengthy list of victims affected by Accellion’s ransomware attack. Other organizations include Community Health Plan, the Southern Illinois University School of Medicine, Trillium, Kroger, Washington state, and Centene.
This is Trinity Health’s second vendor-related data breach in the past six months; it was also affected by Blackbaud’s 2020 cyber attack which compromised the data of 3.3 million patients—one of the largest healthcare data breaches of 2020.
Details of Accellion’s data breach
As Trinity Health’s business associate, Accellion was entrusted to securely handle the protected health information (PHI) of millions of patients. Unfortunately, in January of 2021, hackers exploited four known, unpatched vulnerabilities in Accellion’s File Transfer Appliance (FTA) platform.
They were able to gain access to the system undetected and in the process stole large quantities of client data. The breach impacted millions of patients, including 1.3 million patients of Centene alone.
Stolen data included PHI, financial records, and other sensitive pieces of information.
Following the breach, Accellion’s clients began to receive ransomware extortion emails that contained threats to publish the stolen data if the victims did not meet the hackers’ demands. Over 100 companies were impacted by the hack.
SEE ALSO: To Pay or to Not Pay for Stolen Data
Accellion’s data breach is one in a long line of targeted attacks against healthcare organizations, attacks that have been on a steady rise over the past few years and accelerated by the coronavirus pandemic. Among these include two recent ransomware attacks against covered entities, which are being investigated by the FBI.
The investigation into Accellion’s data breach has been ongoing following the discovery of the attack. Accellion notified Trinity Health of the attack on January 29, 2021, which prompted Trinity to terminate its use of the FTA platform and launch an independent investigation.
SEE ALSO: HIPAA Breach Report for May 2021
Data breach lawsuits against Accellion
Accellion is now facing at least 14 separate lawsuits by many of the largest victims; some of the victims merged individual lawsuits and filed a class-action lawsuit in federal court in March of 2021.
The lawsuits allege that Accellion was not only aware of the risks and vulnerabilities presented by outdated software, but also failed to take action to keep its file transfer platform secure. According to the lawsuits, Accellion knew that its FTA platform was inadequately secure and yet continued to sell an unsafe product. The lawsuit’s plaintiffs also claim that Accellion committed unlawful conduct by putting individual patients at imminent risk of future harm.
In Centene’s lawsuit against Accellion, the healthcare insurer claims that Accellion refused to comply with a list of provisions set forth in its business associate agreement (BAA), and its failure to protect sensitive data will cause Centene to incur significant damages stemming from the costs of victim notification, remediation, mitigation, and attorneys’ fees.
Although it was Accellion’s failure to patch known vulnerabilities that led to the ransomware attack, covered entities like Trinity Health and Centene are responsible for ensuring their business associates provide the necessary protection when handling PHI. Ultimately, covered entities can be found liable for data breaches caused by their business associates, which is why it’s crucial that they partner with only trusted, HIPAA compliant partners.
Data breach lawsuits are an unfortunate consequence of ransomware, email phishing, and other online attacks that exploit vulnerabilities in systems and networks. It’s crucial that any organization that handles PHI takes every precaution to ensure complete protection against bad actors.
Safeguard against ransomware threats with Paubox Email Suite Plus
On top of facing potential HIPAA fines, Accellion also has over a dozen lawsuits on its hands. In its failure to act swiftly to repair known vulnerabilities, Accellion exposed the data of millions of patients who must now deal with the consequences of the data breach.
SEE ALSO: What to Do After You Violate HIPAA
Avoid making similar mistakes as Accellion—and the fines, lawsuits, and other consequences that usually follow a data breach—by adding an additional layer of cybersecurity to your organization’s system with a trusted partner that specializes in HIPAA compliance.
Stop ransomware attacks with Paubox Email Suite Plus. Our one-stop shop solution enables you to send HIPAA compliant email by default, and our patented ExecProtect feature prevents display name spoofing emails from reaching inboxes in the first place.
With our inbound email security solutions, you can rest assured knowing we will filter out email spam, viruses, and other threats to keep you safe. In addition to signing a BAA with every customer, all of our solutions are HITRUST CSF certified.
Paubox Email Suite Plus customers also now have access to our new Zero Trust Security for Email feature. Zero Trust is a cybersecurity framework that requires strict identity verification for every person or device that attempts to access resources on a private network.
As the list of healthcare organizations affected by Accellion’s data breach grows, it should serve as a warning to other covered entities and business associates that they must exercise extreme caution in how they handle information security, privacy safeguards, and risk management plans.