The health system agreed to resolve claims after files on its secure transfer platform were accessed by an unauthorized party.
Trinity Health learned on January 29, 2021, that attackers had exploited a zero-day vulnerability in the Accellion File Transfer Appliance (FTA), which the organization used for secure email and file exchange. Multiple Accellion FTA customers were affected during that period when attackers downloaded files containing personal and medical information.
Trinity Health determined that files stored on its Accellion FTA system had likely been accessed and downloaded by an unauthorized party. The files contained names, contact details, birth dates, medical record numbers, laboratory information, medications, claims data, Social Security numbers, and limited financial information. Notification letters were sent to California residents whose data appeared in the compromised files, and recipients were offered credit monitoring and identity protection services. A class action lawsuit was filed in Fresno County Superior Court alleging that the organization failed to maintain appropriate safeguards, including encryption of data stored on the Accellion system. Trinity Health and codefendants denied the allegations but chose to settle to avoid the additional cost and uncertainty of extended litigation.
Court filings show that the plaintiffs raised claims under California privacy and consumer protection laws and sought damages and injunctive relief. Trinity Health stated that the settlement does not represent an admission of wrongdoing and that it continues to maintain measures intended to safeguard personal data. Class counsel noted that the settlement provides a practical path forward for reimbursement of out-of-pocket expenses and a one-time cash payment for eligible class members. The court will review settlement terms after the objection and claims periods end.
The Accellion FTA compromise impacted universities, government agencies, and healthcare organizations, demonstrating how third-party file-transfer tools can become points of exposure when legacy systems reach end of life. The U.S. Government Accountability Office has found that aging or unsupported systems “pose significant cybersecurity risks because many are outdated or no longer supported,” especially when they continue to manage routine data exchanges. The UK National Cyber Security Centre similarly warns that legacy and obsolete technologies “increase your exposure” when they remain in active use.
The tool was used widely across healthcare, finance, government, and education, which meant a single set of vulnerabilities produced widespread and coordinated exploitation.
Organizations often store reports, billing records, laboratory files, and other structured documents that contain sensitive identifiers and medical or financial information.
They can plan a transition to supported alternatives, review stored data, apply available patches, and reduce reliance on older systems as part of their risk management program.
Courts often examine how the organization configured the tool, whether patches or mitigations were applied, and whether sensitive data was encrypted or stored unnecessarily.
They can usually request reimbursement for documented expenses linked to identity theft or fraud and may be eligible for a one-time cash payment, depending on participation rates.