Cyber Incident Victim: Health Net LLC

The data breach impacting Health Net LLC, a subsidiary of Centene Corp., occurred on or around December 24, 2020, when attackers compromised sensitive personal health information through a vulnerability in Accellion’s legacy file transfer appliance (FTA) software. This security failure exposed protected health data belonging to Health Net members, though the exact number of affected individuals remains unspecified in available public litigation records. The breach stemmed from Accellion’s FTA system, which Centene had utilized for secure data transfers prior to the incident. Unauthorized actors exploited unpatched vulnerabilities in the aging Accellion platform to access and exfiltrate sensitive member information stored within Health Net’s systems.

Centene initiated multiple response measures following discovery of the breach, including remediation efforts to secure compromised systems, mitigation protocols to prevent further unauthorized access, and mandatory breach notifications to affected individuals. The company incurred substantial expenses related to providing credit monitoring services to impacted members, regulatory reporting obligations across multiple jurisdictions, and legal fees associated with breach management. In March 2021, Centene filed a lawsuit against Accellion in federal court, alleging the vendor failed to honor indemnification obligations under their contract despite clear security requirements. The complaint specifically cited Accellion’s refusal to cover costs for breach response activities, including consumer notifications, monitoring services, and regulatory compliance efforts. This legal action formed part of broader litigation against Accellion following multiple FTA-related breaches affecting various organizations during the same timeframe. The incident resulted in operational disruptions and significant financial liabilities for Centene through mandated consumer protection measures and ongoing legal proceedings.