Insurer Centene Sues Accellion for Data Member Leak

Health insurer Centene Corp. filed a lawsuit on March 11 against cloud data provider Accellion, over a January cyberattack that exposed the personal information of Centene-subsidiary Health Net.

The St. Louis-based insurer claims Accellion didn’t honor the costs associated with the leakage of confidential information belonging to its subsidiary. Centene said that despite the clear requirements of the indemnification agreement with the company, the cloud provider refused to take responsibility stemming from the hacking incident.

Centene has to take on the costs associated with the breach, including credit monitoring, notification, mitigation, remediation, regulatory reporting, and lawyer fees. Threat actors exploited four vulnerabilities on the file transfer system, exposing several clients, including Centene and Kroger pharmacy.

Centene Sues Accellion for Data Member Leak

The insurer is seeking unspecified damages for costs on the response to the cyberattack and makes Accellion responsible for the legal claims of Health Net customers. The cloud storage provider faces mounting legal troubles linked to the data breach, which compromised less than a third of its 300 clients who are using the FTA software.

In addition to the unspecified damages, Centene is also seeking the Delaware Chancery Court to hold Accellion responsible for auditing in compliance with the contracts. By submitting the reports, Centene can point out other weak spots that the cloud provider hasn’t take action.

The cause of action indicated by Centene is a breach of contract. Accellion declined to comment yet on the lawsuit but has been open about the breach incident that tampered with its file transfer appliance product.

Accellion claims the FTA product is nearing its end-of-life after 20 years, following the sophisticated cyberattack. It mentioned on the press release how all customers are notified about the incident on December 23, 2020, while it patched all vulnerabilities exploited by the attackers.

The company was made aware that in mid-December 2020, FTA legacy software had zero-day vulnerability. It only released a 72-hour fix and continued the service in January 2021. The firm identified the additional exploits in weeks and rapidly developed a patch for each vulnerability.

“We have encouraged all FTA customers to migrate to kiteworks for the last three years and have accelerated our FTA end-of-life plans in light of these attacks. We remain committed to assisting our FTA customers but strongly urge them to migrate to kiteworks as soon as possible,” said Accellion in a press release.