HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Geisinger Health Plan Notifies Members About Business Associate Phishing Attack

Danville, PA-based Geisinger Health Plan has discovered the protected health information (PHI) of some of its members has been exposed as a result of a suspected phishing attack on one of its business associates, Magellan NIA.

Magellan NIA provides radiology benefits management services to the health plan, which requires access to plan members’ PHI.

Magellan NIA discovered the breach on July 5, 2019 when suspicious activity was detected in the email account of one of its employees. The account was immediately secured to prevent further unauthorized access and misuse and an investigation was launched to determine the extent of the breach. The investigation revealed the account was breached on May 28, and there had been several connections to the account between up until July 5. Those connections were made from a location outside the United States.

Geisinger Health Plan believes the sole purpose of the attack was to gain access to email accounts for the purpose of spamming, rather than to steal sensitive plan member data. However, it was not possible to rule out unauthorized data access and theft of plan member data, so the incident is being classed as a data breach. Affected members have been offered complimentary credit monitoring and identity theft protection services as a precautionary measure.

Magellan NIA has since implemented additional security measures to protect against further phishing attacks, including disabling certain email protocols, implementing Microsoft Password Hash Sync, and establishing geofencing.

Geisinger Health Plan says it was informed about the breach on September 24 and was sent a list of affected members on October 3. The business associate has notified affected members directly. Geisinger Health Plan ensured that the notification process was completed correctly and has now terminated its business relationship with the company.

At this stage, no information is available on the number of plan members that have been affected.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.