Cyber Incident Victim: California Health & Wellness
Date:
Dec 2020
Location:
United States of America
Summary
A cyberattack targeting Accellion's unpatched File Transfer Appliance compromised California Health & Wellness, exposing data of 80,000 individuals. Attackers exploited vulnerabilities to install a web shell, enabling unauthorized remote access and data theft, which included sensitive personal and medical information heightening risks of identity theft and fraud. The incident impacted multiple healthcare entities, including Centene Corp.-owned health plans and academic institutions, with stolen data linked to the Clop ransomware gang demanding payments. This breach underscores systemic third-party security risks in healthcare's information infrastructure, where compromised file-sharing services facilitated widespread data exposure across interconnected organizations.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The December 2020 cyberattack targeting Accellion’s legacy File Transfer Appliance (FTA) software impacted multiple healthcare organizations, including California Health & Wellness, a Centene Corp.-owned health plan. Attackers exploited unpatched vulnerabilities in the FTA system, using reverse engineering techniques to install a web shell—a malicious script enabling remote command execution—on compromised servers. This allowed unauthorized access to systems, bypassing authentication controls to exfiltrate sensitive data. The breach was disclosed months later, with California Health & Wellness reporting in 2021 that approximately 80,000 individuals were affected. Centene Corp. filed a lawsuit against Accellion following the incident, citing failures in securing the file-transfer platform. Other Centene subsidiaries impacted included Health Net Community Solutions (687,000 affected), Health Net of California (524,000 affected), and Health Net Life Insurance Co. (27,000 affected).
Mandiant, FireEye’s incident response group hired by Accellion, confirmed attackers stole data from fewer than 100 of Accellion’s 300 FTA customers, with fewer than 25 experiencing significant data theft. Stolen information included personally identifiable information (PII), protected health information (PHI), and Social Security numbers, heightening risks of financial fraud, tax refund fraud, and medical identity theft. The Clop ransomware gang claimed responsibility for some breaches, attempting to extort victims by threatening data sales or deletion unless ransoms were paid. Trinity Health, Stanford University School of Medicine, and the University of California system were among other entities compromised, with Trinity Health alone notifying 587,000 individuals in this incident after previously being affected by a separate 2020 Blackbaud breach impacting 3.3 million. The attack underscored systemic third-party risks in healthcare data ecosystems, with critics highlighting insufficient security standards across vendor networks. No specific containment measures by California Health & Wellness were detailed, though Centene’s legal action against Accellion represented a direct organizational response to the breach.