On February 26, Arizona Complete Health notified plan members of the Accellion breach. According to the notification (see below), the threat actors (who have since self-identified as CLOP) were able to “view or save” member information between January 7 and January 25, 2021.
The types of ePHI involved included insured members’ name and one or more of the following:
- Address
- Date of birth
- Insurance ID Number
- Health information, such as your medical condition(s) and treatment information
As part of its response to the incident, the covered entity offered those affected credit monitoring and identity theft restoration services for one year. They also reviewed their processes for sharing data to make sure they are not at risk to a similar attack, and “Stopped using Accellion’s services and removed all of our data files from its system.”
On March 2, AzCH reported this incident to HHS as impacting 27,390 plan members. The health plan is not listed on the threat actors’ dedicate leak site at the time of this publication.
Other Entities Also Reporting Protected Health Information Involved in Accellion Breach
AzCH is not the first Accellion client to report ePHI was involved in the breach:
- DataBreaches.net found what may be ePHI (pharmacy records) in the Jones Day data dump
- Kroger Health Services reported pharmacy records were involved
- Southern Illinois University School of Medicine notified patients
- University of Colorado informed their local media that the breach may have also included “limited health and clinical data, and study and research data;” and
- Trillium Community Health Plan also notified its members of the breach.
We do not have numbers for most of the reports yet and there will likely be other entities that we will discover who were also impacted.
AZCH_Member Notice oF Accellion Breach