Notice of Washington State Auditor’s Office Accellion Privacy Incident
EvergreenHealth was notified by the Washington State Auditor’s Office (“SAO”) of a data security incident experienced by Accellion, Inc. (“Accellion”), a third-party data file transfer service used by SAO to transfer data files for auditing purposes.
As a public hospital district, EvergreenHealth is required to undergo annual audits by the SAO to remain in compliance with state regulations. For the 2019 annual audit, this involved submitting data related to payments for patient services to SAO using the Accellion file transfer service. In mid-January 2021, SAO learned that a security incident involving the Accellion file transfer service had occurred in late December 2020. SAO was advised that an unauthorized person had gained access to data stored in SAO’s file transfer account with Accellion. SAO immediately launched an investigation to determine the scope of the incident and how it may have involved information sent to SAO for audit purposes. SAO also engaged cybersecurity experts to assist with its investigation. On April 26, 2021, SAO confirmed that that this incident involved information for some of EvergreenHealth’s patients. The incident impacted Accellion customers worldwide and is under investigation by law enforcement.
After learning of the incident, EvergreenHealth launched an internal investigation to identify the individuals whose information may have been contained in the files involved, which was completed on May 3, 2021. Through this review, EvergreenHealth identified files that contained a limited subset of some patients’ information, which included patients’ names, dates of service, health insurance status, visit numbers, and limited information about payments made to or received by patients. For a very limited number of patients, this incident may have involved their dates of birth. This incident did not involve any patients’ medical diagnosis or treatment information, nor did it involve patients’ Social Security numbers, banking information, or credit card numbers.
On July 14, 2021, EvergreenHealth began mailing letters to patients whose information may have been involved in the incident. We have also established a dedicated, toll-free call center to answer questions that patients may have. If patients have questions, they should call 855.654.0833 beginning July 14, Monday through Friday, between 6 a.m. and 6 p.m., Pacific Time. We recommend that patients whose information may have been involved in this incident review the statements they receive from their healthcare providers and health insurance plan. If they see any services that were not received, they should contact the provider or health plan immediately.
EvergreenHealth takes data security seriously and deeply regrets any concern or inconvenience this matter may cause its patients. SAO continues to work to minimize risks associated with the transfer of data files.