Another Accellion breach victim has been named nine months after threat actors exploited zero-day vulnerabilities in the company’s File Transfer Application.
Goodwin Procter LLP, which was hired by Beaumont to provide legal services, used Accellion’s File Transfer software to carry out large transfers on behalf of its clients. On February 5, Goodwin advised the healthcare provider that patient data may have been compromised.
A digital forensics investigation launched by Goodwin after news of the Accellion breach came to light found that an unknown user had exploited a vulnerability in the software to download certain files.
“The potentially impacted information included a listing of roughly 1500 patients who had one of two procedures performed at a Beaumont Hospital,” said a statement issued on August 27 by Beaumont Health.
“The list included the patient name, procedure name, physician name, the internal medical record number and the date of service. This incident is limited to these patients and does not affect all patients of Beaumont.”
The healthcare provider added that no financial information had been impacted by the incident and that neither Beaumont nor Goodwin had found any evidence of the compromised data being used improperly.
Goodwin, on behalf of Beaumont, contacted impacted individuals by letter at their last known address on August 27 to notify them of the data breach.
“The notice letter specifies steps impacted individuals may take in order to protect themselves against identity fraud, including enrolling in complimentary credit monitoring services (if eligible), placing a fraud alert/security freeze on their credit files, obtaining free credit reports, remaining vigilant in reviewing financial account statements and credit reports for fraudulent or irregular activity on a regular basis and taking steps to safeguard themselves against medical identity theft,” stated Beaumont.
Following the incident, Goodwin is evaluating its data security procedures and protocols.
News of the data breach comes a year after a phishing attack on Beaumont Health may have exposed the data of 6000 patients.