Accellion-related breach disclosures continue to unfold

Beaumont Health is the latest organization to disclose an incident related to the Accellion breach last year.

In a statement Friday, the healthcare system, based in Southfield, Mich., revealed that the information of 1,500 patients may have been affected. Beaumont is a client of Goodwin Procter LLP, a law firm that used Accellion's File Transfer Appliance (FTA) product, a 20-year-old file-sharing software that was approaching end of life. Last year, the legacy software was the target of an attack that claimed more victims than initially anticipated.

Accellion first learned it was breached in December 2020, after a vulnerability was found in FTA. The incident was publicly disclosed the following month, where Accellion said it had fixed the vulnerability and released a patch, all within 72 hours. At that time, Accellion stated fewer than 50 customers were affected.

Since then, several affected customers -- and customers of those customers -- have come forward with reports of data breaches connected to the compromised FTA product. Victims range from jet manufacturer Bombardier Inc. to supermarket chain Kroger Co.

More significant is the growing list of victims that were customers of Accellion clients such as Morgan Stanley, which issued a disclosure in July. Morgan Stanley was a client of Guidehouse, a consulting firm and managed service provider that used FTA. Three healthcare centers were also among the affected Guidehouse customers.

Now, Beaumont Health, which comprises eight hospitals, 155 outpatient locations and nearly 5,000 physicians, joins that list.

According to Beaumont's statement, it was notified by Goodwin on Feb. 5 that the Accellion FTA software, used by the law firm for transferring large client files, had been attacked. Those files included "personal and protected health information" of Beaumont patients.

Beaumont confirmed the potential patient impact on June 28, after conducting an independent analysis. The analysis found that the information was limited to around 1,500 patients who had one of two procedures done at Beaumont Hospital and it did not include financial data.

While the impact was verified in June, it took nearly two months for patients to be notified. Beaumont said it provided written notification, sent to patients' home addresses, on Aug. 27.

In a statement to SearchSecurity, Beaumont explained that following the initial notification from Goodwin on Feb. 5, the law firm conducted a forensic investigation with a third-party organization to determine what client data may have been exposed or accessed.

"It took until June to complete the forensic analysis and provide Beaumont with a list of patient names and the type of data that was impacted," a Beaumont spokesperson wrote in an email to SearchSecurity. "However, the data provided by the forensic firm did not provide patient address information. It took several weeks to obtain the patient addresses and coordinate with a mailing firm and call center."

Beaumont's case is the latest in a series of extended investigations and lengthy disclosures and notification times connected to Accellion. For example, the Reserve Bank of New Zealand issued a statement in May, expressing concerns on the timeliness of alerts it received from Accellion. Additionally, it took Guidehouse nearly two months to notify Morgan Stanley, as well as the healthcare centers.

It does not appear Goodwin publicly disclosed the data breach, though the law firm sent notification letters to several states, informing regulators that it was likely affected by the FTA attack. In those notification letters, Goodwin said it was informed of a security incident by Accellion on Jan. 22, 2021.

SearchSecurity contacted Goodwin on Feb. 26 when reports first surfaced that the law firm was impacted. Goodwin declined to comment. SearchSecurity followed up recently after Beaumont was revealed as a victim, but the law firm did not respond.