Extent of Magellan Health Ransomware Becomes Clear: More Than 364,000 Individuals Affected

HIPAA Journal previously reported on an April 2020 ransomware attack on Magellan Health. Further information on the attack has now been released that shows the scale of the attack.

The incident has now been listed on the HHS’ Office for Civil Rights breach portal as affecting 6 Magellan entities, each of which has reported the incident separately. Several other entities have also submitted breach reports confirming their patients and subscribers have also been affected.

It is too early to tell exactly how many individuals have been affected by the ransomware attack, but the total as of July 1, 2020 exceeds 364,000, making the attack the third largest healthcare data breach to be reported in 2020. There may still be some entities that have yet to report the breach.

Entities known to have been impacted by the breach are listed in the table below.

Affected Entity Entity Type Individuals Affected
Magellan Healthcare, Maryland Business Associate 50,410
Magellan Complete Care of Florida Health Plan 76,236
Magellan Rx Pharmacy Healthcare Provider 33,040
Magellan Complete Care of Virginia Health Plan 3,568
Merit Health Insurance Company Health Plan 102,748
National Imaging Associates Business Associate 22,560
University of Florida Jacksonville Healthcare Provider 54,002
University of Florida, Health Shands Healthcare Provider 13,146
University of Florida Healthcare Provider 9,182
Total   364,892

In contrast to many of the healthcare ransomware attacks that have been reported in recent weeks, where access to networks was gained through brute force attacks on remote desktop services or the exploitation of vulnerabilities in VPNs, this attack started with a spear phishing email in which a Magellan client was impersonated. That email was sent on April 6 and the ransomware was deployed less than a week later.

Magellan explained in its substitute breach notification letter sent to the California Attorney General’s Office that the attacker downloaded malware that was designed to steal login credentials and passwords, and gained access to a single Magellan corporate server and stole employee information. The data stolen in the attack related to current employees and included the following data elements: Address, employee ID number, and W-2 or 1099 details such as Social Security number or Taxpayer ID number. For a limited number of employees, usernames and passwords were also obtained.

The notice of security incident on the Magellan Health websites confirms patients of Magellan Health and its subsidiaries and affiliates were also impacted, and the following types of data were exposed: Treatment information, health insurance account information, member ID, other health-related information, email addresses, phone numbers, and physical addresses.  In certain instances, Social Security numbers were also affected.

No mention is made on the June 12, 2020 website notice whether protected health information was also stolen in the attack. In all cases, Magellan Health says no evidence has been uncovered to date to suggest any patient or employee information has been misused.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.