Background on Accellion Healthcare Data Breach
The breach occurred in December 2020 when cybercriminals exploited zero-day vulnerabilities in the company’s File Transfer Appliance (FTA).
The breaches affected federal, state, local, tribal, and territorial government organizations as well as private industry organizations in the medical, legal, telecommunications, finance, and energy fields around the world.
These breaches’ severity and widespread nature resulted in a joint alert from the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) and security agencies from the United Kingdom, Australia, New Zealand, and Singapore in February 2021.
Details of Accellion Healthcare Data Breach
In the settlement, the Accellion denied any responsibility for the breach and expressly stated they “did not guarantee the security of the FTA software to customers,” and quoted their license agreement that “explicitly states that each FTA Customer is ‘solely responsible and liable for the use of and access to…’ the FTA software ‘and for all files and data transmitted, shared, or stored using’ FTA.”
In 2014 Kiteworks was launched as a successor to FTA. Most customers had migrated to the new software by early 2020, and the company was no longer selling new licenses for the FTA product.
However, they allowed existing customers to renew their FTA licenses. The last security update to the FTA product was in February 2019.
As part of the settlement, Accellion is retiring the Accellion FTA and taking steps to ensure the security of its replacement Kiteworks solution. Those steps include increasing its bug bounty program, maintaining FedRAMP certification, employing individuals responsible for cybersecurity, providing cybersecurity training to its workforce, and undergoing regular assessments to confirm continued compliance with the security measures outlined in the settlement.
Accellion changed its brand name to Kiteworks in October 2021.
Organizations Affected by the Accellion Healthcare Data Breach
Lawsuits have also been filed against Acellion clients affected by the breach. Grocery chain Kroger Co. agreed to a $5 million settlement in July 2021 because the vulnerability potentially compromised the pharmacy records of 1,474,284 patients. Kroger reported the major breach using the HIPPA Breach Notification Tool on the HHS website and appears to have complied with the HIPPA Breach Notification Rule requirements.
Other healthcare organizations affected by the breach include Health Net Community Solutions, Health Net of California, California Health & Wellness, Trinity Health, The University of California, Stanford University School of Medicine, University of Miami Health, Beaumont Health (MI), Cayuga Medical of Ithica, NY, Lehigh Valley Health of Pennsylvania, Trillium, Community Health Plan, University of Maryland-Baltimore, Arizona Complete Health, CalViva Health, and Health Employees’ Pension Plan.
Plaintiff’s lawyers have disclosed pending settlements with managed care company Centene Corporation’s subsidiary Health Net LLC.
Takeaways From the Breach
As the legal issues unfold, there are still outstanding considerations for Accellion/Kiteworks and the organizations affected by the cyberattacks. The Office of Civil Rights at the Department of Health and Human Services has not yet announced if there will be fines or other penalties for the healthcare providers or business associates whose data was compromised.
This case also underscores some commonly overlooked points by many working to achieve HIPAA compliance.
First, it is absolutely essential that healthcare providers and business associates have signed Business Associate Agreements before any protected health information (PHI) is exchanged. It’s not only the law, but it provides clearly defined duties and responsibilities between the parties.
Second, organizations must regularly examine security risk assessment data on their current and potential business associates. Compliancy Group has a security assessment questionnaire for business associates built into our industry-standard HIPAA Compliance software solution, “The Guard.” This helps you automate the information-gathering process for risk assessments of your business associates.
Ultimately, the organization’s Compliance and Privacy Officers must determine whether their partners appropriately protect PHI. The Accellion breach proves that organizations must be willing to regularly examine how they address cybersecurity and be willing to ask, “Is this enough?”