On February 5, 2021, Goodwin Procter LLP (“Goodwin”) notified Beaumont Health (“Beaumont”) of a security incident at Accellion, a third-party vendor whose File Transfer software was used by Goodwin for large file transfers on behalf of clients, including Beaumont. Goodwin received some personal and protected health information from Beaumont in connection with legal services provided to Beaumont by Goodwin.
The security incident at Accellion impacted the File Transfer software, which put a limited amount of patient information at risk. Upon learning of the issue, Goodwin immediately took the appliance offline and launched an investigation into the issue and its impact on both Goodwin and its clients. This investigation, which is being supported by a leading forensic investigation firm, determined that certain files present on the appliance on January 20, 2021 were downloaded by an unknown user as a result of the exploitation of a previously unknown vulnerability in the Accellion appliance.
Goodwin notified Beaumont of the Accellion security incident after determining that the information removed by the threat actor may have contained Beaumont patient information. Beaumont subsequently conducted its own independent analysis of the information impacted by the Accellion incident and discovered on June 28, 2021 that the impacted information contained some patient health information of some Beaumont patients.
The potentially impacted information included a listing of roughly 1500 patients who had one of two procedures performed at a Beaumont Hospital. The list included the patient name, procedure name, physician name, the internal medical record number, and the date of service. This incident is limited to these patients and does not affect all patients of Beaumont. No patient financial information was impacted.
To date, neither Goodwin nor Beaumont are aware of any reports of identity fraud or improper use of any information as a result of this incident. Out of an abundance of caution, Goodwin provided written notification of this incident on behalf of Beaumont commencing on August 27, 2021 to all those potentially impacted to the extent Beaumont had a last known home address. The notice letter specifies steps impacted individuals may take in order to protect themselves against identity fraud, including enrolling in complimentary credit monitoring services (if eligible), placing a fraud alert/security freeze on their credit files, obtaining free credit reports, remaining vigilant in reviewing financial account statements and credit reports for fraudulent or irregular activity on a regular basis, and taking steps to safeguard themselves against medical identity theft.
Upon becoming aware of the vulnerability, Goodwin immediately took steps to terminate access and use of the service, investigate the event, and confirm the security of its network. Additionally, Goodwin is further evaluating its data security policies and procedures. Goodwin provided notice of this incident to Beaumont, and to impacted individuals, so that steps may be taken to protect the personal information of impacted individuals.
At Beaumont, protecting the privacy of personal information is a top priority. Beaumont is committed to maintaining the privacy of personal information in its possession and has taken precautions to safeguard it. Beaumont continually evaluates and modifies its practices and internal controls to enhance the security and privacy of personal information.
If you have any further questions regarding this incident, please call the dedicated and confidential toll-free response line set up to respond to questions at 877-274-2764.