Health IT, Hospitals, Legal

500,000+ Trinity Health patients affected in widespread Accellion data breach

Several healthcare entities that used Accellion's file transfer software now find themselves the victims of a data breach, including Trinity Health. The software had vulnerabilities that were exploited by cybercriminals, resulting in the exposure of personal health information.

Data breach, cybersecurity, hacking,

A data breach resulting from vulnerabilities in file transfer service provider Accellion’s software has affected multiple healthcare entities. The latest victim is Livonia, Michigan-based Trinity Health, which recently announced the security incident that has affected over half a million of its patients.

Reports of security incidents related to Accellion’s legacy file transfer appliance started appearing in February. Several healthcare entities that used the software said they had been affected, including Trillium Community Health Plan, University of Miami Health and Centene, which sued Accellion after information for 1.3 million patients of its subsidiaries was exposed as a result of the breach.

Accellion’s software was the target of “sophisticated cyberattacks,” the company said. Though the total number of healthcare consumers affected is unknown — as some entities did not publicly report those numbers to the Department of Health and Human Services’ data breach portal — the figure has reportedly crossed 3 million.

The incident at Trinity Health affected 586,869 patients, the system reported to HHS.

Trinity Health had been using the company’s software for large file transfers. On Jan. 29, Accellion informed Trinity Health of a security issue with its software. The health system immediately stopped using it and launched an investigation.

The provider found that certain files present on the software on Jan. 20 were downloaded by an unknown user. The files contained protected health information, including names, addresses, dates of birth, healthcare providers, medical record numbers and payment and claims information. The social security or credit card number of a small group was also exposed.

Trinity Health is offering complimentary access to identity or credit monitoring services to the affected patients.

Accellion recently engaged FireEye Mandiant, a cybersecurity forensics firm, to conduct an investigation into the cyberattacks and to review its file transfer appliance for any other potential security vulnerabilities. Accellion has closed all known software vulnerabilities, Mandiant said in a report. Further, Mandiant did not discover any additional vulnerabilities that were exploited by the attackers.

The Accellion data breach has reportedly affected about 100 of its clients, which includes at least seven healthcare entities in addition to Trinity Health.

Further, the effects of the breach are not limited to U.S. companies alone, with organizations across the globe falling victim to the software security issue.

The Cybersecurity & Infrastructure Security Agency has even worked with the cybersecurity authorities of Australia, New Zealand, Singapore and the United Kingdom to issue a joint advisory on identifying vulnerabilities and preventing data breaches connected to the software.

Photo: JuSun, Getty Images