PHI of Almost 3.5 Million Individuals was Compromised in the Accellion Cyberattack

The number of healthcare organizations known to have been affected by the Accellion cyberattack has been growing. Over the past few days, several health insurers and healthcare providers have confirmed they have been affected by the cyberattack.

The Accellion FTA was released around 20 years ago to allow enterprises to securely share files that were too large to send via email. The Accellion FTA reaches end-of-live on April 30, 2021. For the past 3 years Accellion has been trying to encourage customers to switch to its newer, more secure Kiteworks platform. Most users of the Accellion FTA had already switched to Kiteworks or an alternative solution at the time of the cyberattack. Around 100 companies still using the solution had data compromised in the attack.

In December 2020, hackers chained exploits for multiple zero-day vulnerabilities in the legacy Accellion File Transfer Appliance and exfiltrated data, then issued a demand for payment to ensure the return/deletion of the data. Ransomware was not used in the attack, but the incident has been linked to the Clop ransomware gang. The data leak site of the Clop ransomware gang was used to publish some of the stolen data to encourage payment of the ransom.

The number of healthcare organizations affected by the Accellion data breach is not yet known, but so far at least 9 healthcare organizations are known to have been affected.

Kroger Pharmacy had the data of 1,474,284 of its customers stolen, Health Net has reported the breach as affecting 1,236,902 members, Trinity Health said 586,869 patients had been affected, California Health & Wellness reported the breach as affecting 80,138 members, Trillium Health Plan said 50,000 had been affected, and 29,390 members of Arizona Complete Health had their PHI compromised.

Stanford Medicine, University of Miami Health, and Centene Corp have also been affected by the breach, although the number of individuals affected at each of those organizations has not yet been confirmed.

As it stands, the protected health information of 3,457,583 individuals is known to have been compromised, making the Accellion data breach one of the largest healthcare data breaches to be reported in the past 5 years.