Cyber Incident Victim: Arizona Complete Health

Arizona Complete Health (AzCH) was notified on January 25, 2021, that its file-sharing vendor Accellion had suffered a cyber-attack compromising member data. The breach occurred between January 7 and January 25, 2021, when an unauthorized actor accessed AzCH files stored on Accellion's system. The attacker potentially viewed or exfiltrated files containing protected health information exchanged between AzCH and healthcare providers. Exposed data included member names accompanied by addresses, dates of birth, insurance identification numbers, and medical details such as diagnoses and treatment histories. AzCH confirmed the incident stemmed from unauthorized access to Accellion's infrastructure rather than AzCH's own systems.

Upon discovery, AzCH initiated response measures including collaboration with Accellion to investigate the breach scope and forensic analysis of compromised files. The organization terminated its relationship with Accellion, removing all data from the vendor's systems. AzCH reviewed its data-sharing protocols to prevent similar incidents while Accellion engaged law enforcement agencies including the FBI. Although no evidence indicated misuse of stolen data, AzCH offered affected members one year of complimentary credit monitoring and identity theft protection services. The health plan advised members to review insurance statements for unauthorized transactions and provided instructions for implementing credit freezes or fraud alerts through a supplemental identity protection guide distributed with breach notification letters.