Accellion breach exposed data from patients at major Michigan hospital system

It's the latest in a long list of victims.
ROYAL OAK, MI - APRIL 08: A view of the north entrance to Beaumont Hospital on April 8, 2020 in Royal Oak, Michigan. (Photo by Elaine Cromie/Getty Images)

A major Michigan hospital system on Friday notified roughly 1,500 patients that their information may have been exposed as a result of a hack against file-sharing service Accellion.

The law firm Goodwin Proctor notified Beaumont Health in February that patient data shared by the hospital with legal counsel may have been entangled in the wide-reaching hack through the firm’s use of Accellion. Beaumonth Health is a network of health facilities that reported $4.58 billion in total revenue for 2020.

A follow-up investigation by Beaumont found that impacted patient health data included patient name, procedure name, physician name, internal medical record number and dates of service. No patient financial information was impacted, the hospital stated in a press release.

Beaumont Health joins a list of at least 11 healthcare organizations that were affected by a December breach of the file sharing service Accellion. Two of the victims, Kroger Pharmacy and healthcare insurer Centene, both had more than a million individuals’ data exposed by the hack. The incident, which also ensnared Qualys and a number of universities, was the work of a pernicious ransomware gang that has demanded extortion fees from unwitting victims, FireEye previously found


Cybercriminals exploited multiple vulnerabilities in Acellion’s software late last year, allowing them to infiltrate the company’s file-sharing tool to gather information from the company’s customers. The group unleashed a wave of extortion attempts against victims in late January, threatening to share their stolen data if they didn’t pay up.

Nearly nine months since the breach, the Accellion hack continues to claim a growing number of victims across industries.  Victims of the attack also include Morgan Stanley, law firm Jones Day and Canadian plane manufacturer Bombardier.

Tonya Riley

Written by Tonya Riley

Tonya Riley covers privacy, surveillance and cryptocurrency for CyberScoop News. She previously wrote the Cybersecurity 202 newsletter for The Washington Post and before that worked as a fellow at Mother Jones magazine. Her work has appeared in Wired, CNBC, Esquire and other outlets. She received a BA in history from Brown University. You can reach Tonya with sensitive tips on Signal at 202-643-0931. PR pitches to Signal will be ignored and should be sent via email.

Latest Podcasts