Health Insurer Sues Accellion in Wake of Hacking IncidentCentene Corp. Alleges Vendor Failed to Comply With Business Associate Agreement
As the list of healthcare sector entities affected by the recent hacking of Accellion's File Transfer Appliance platform continues to grow, the technology vendor faces a lawsuit filed by one of its affected clients, health insurer Centene Corp.
Centene alleges that Accellion has refused to comply with a list of provisions in its business associate agreement with Centene.
The insurer says the Accellion data breach exposed and compromised the protected health information, personally identifiable information and other confidential information of "a significant number" of health plan members.
Centene says the Accellion incident will cause it to incur significant costs, including remediation, mitigation, victim and regulator notification and attorneys' fees. The lawsuit requests the court order Accellion to comply with the terms of its business associate agreement and reimburse the insurer for all breach-related expenses.
Centene uses Accellion's software to transfer PHI, PII and other confidential information belonging to individuals who are enrolled in its health insurance plans, the lawsuit notes. It took attackers less than two hours to download all of Centene's files - 9 gigabytes of data - contained on its Accellion systems, the insurer alleges.
Neither Centene nor Accellion immediately responded to Information Security Media Group's requests for comment on the lawsuit.
Centene is among a growing list of entities across many industries – including the healthcare, legal and government sectors – that have been affected by the Accellion incident.
Other organizations that have recently reported health data breaches linked to Accellion include Ohio-based supermarket and pharmacy chain Kroger, which reported 368,000 affected individuals; Oregon-based health plan Trillium Community Health Plan, which said the breach affected 50,000 individuals; and Arizona Complete Health, which said more than 27,000 individuals were affected.
Other victims around the world have included Australia-based NSW Health and the QIMR Berghofer Medical Research Institute as well as the Reserve Bank of New Zealand (see: Accellion Attack Involved Extensive Reverse Engineering).
Lessons to Learn
Healthcare sector entities can learn from the legal dispute between Centene and Accellion.
"Covered entities must update their due diligence with business associates regularly and make sure their BA agreement is current," says regulatory attorney Paul Hales of the Hales Law Group, who is not involved in the Centene lawsuit.
"Healthcare merger and acquisition procedures frequently overlook granular review of HIPAA compliance that is necessary to inform and protect the acquiring organization," he notes.
Privacy attorney David Holtzman of consulting firm HITprivacy LLC says healthcare organizations should carefully examine their business partners' practices to ensure they have invested in technical security controls to monitor suspicious activity.
"Look carefully at the information security and privacy safeguards that a vendor has in place when outsourcing a service that will create or maintain personally identifiable information," he says. "Review the vendor's risk assessment and risk management plans to ensure they have the information security strategy that best fits your needs and expectations.
"The types of incidents that involve vendors providing data management services for healthcare business operations are the scariest of incidents because of the breadth and sheer volume of the data they could be handling."