CalViva Health suffered a significant data breach stemming from a cyber attack on its third-party vendor, Accellion, between January 7–25, 2021. The incident exposed sensitive personal information of approximately 1,000,000 individuals, including names, addresses, dates of birth, insurance ID numbers, and health records. The breach occurred due to vulnerabilities exploited in Accellion’s file-transfer system, leading to unauthorized access and potential exfiltration of protected health data. While the attack targeted a vendor, the repercussions directly impacted CalViva Health’s customers, raising concerns over identity theft, financial fraud, and misuse of medical information. The scale of the breach—affecting a vast number of individuals—highlights systemic risks in third-party dependencies and the critical need for robust cybersecurity measures in healthcare sectors handling highly sensitive data.
Source: https://oag.ca.gov/ecrime/databreach/reports/sb24-539503
TPRM report: https://www.rankiteo.com/company/lhpc
"id": "lhp727082025",
"linkid": "lhpc",
"type": "Cyber Attack",
"date": "1/2021",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '1,000,000',
'industry': 'Healthcare',
'location': 'California, USA',
'name': 'CalViva Health',
'type': 'Healthcare Provider'},
{'industry': 'File Transfer Services',
'name': 'Accellion',
'type': 'Third-Party Vendor'}],
'data_breach': {'data_exfiltration': 'Likely (data accessed by unauthorized '
'parties)',
'number_of_records_exposed': '1,000,000',
'personally_identifiable_information': ['names',
'addresses',
'dates of birth',
'insurance ID '
'numbers'],
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Personal Information (PII)',
'Protected Health Information '
'(PHI)']},
'description': 'The California Office of the Attorney General reported that '
'CalViva Health experienced a data breach due to a cyber '
'attack on its third-party vendor, Accellion, which occurred '
'between January 7, 2021, and January 25, 2021. The breach '
'potentially affected personal information, including names, '
'addresses, dates of birth, insurance ID numbers, and health '
'information. Approximately 1,000,000 individuals may have '
'been affected.',
'impact': {'data_compromised': ['names',
'addresses',
'dates of birth',
'insurance ID numbers',
'health information'],
'identity_theft_risk': 'High (personal and health data exposed)'},
'references': [{'source': 'California Office of the Attorney General'}],
'regulatory_compliance': {'regulations_violated': ['Potential HIPAA (Health '
'Insurance Portability and '
'Accountability Act) '
'violations',
'California Consumer '
'Privacy Act (CCPA) '
'notifications likely '
'required'],
'regulatory_notifications': ['California Office of '
'the Attorney '
'General']},
'title': 'CalViva Health Data Breach via Accellion Cyber Attack',
'type': 'Data Breach'}