Data Stolen in Magellan Health Ransomware Attack

Share this article on:

The Fortune 500 company Magellan Health has announced it experienced a ransomware attack in April that resulted in the encryption of files and theft of some employee information.

The ransomware attack was detected by Magellan Health on April 11, 2020 when files were encrypted on its systems. The investigation into the attack revealed the attacker had gained access to its systems following a response to a spear phishing email sent on April 6. The attacker had fooled the employee by impersonating a client of Magellan Health.

Magellan Health engaged the cybersecurity firm Mandiant to assist with the investigation into the breach, which revealed the attacker had gained access to a corporate server that contained employee information and exfiltrated a subset of that data prior to the encryption of files. The attacker also downloaded malware that was used to steal login credentials.

The data stolen by the hacker related to current employees and included names, addresses, employee ID numbers, and W-2 and 1099 information, which included taxpayer IDs and Social Security numbers. A limited number of usernames and passwords were also stolen in the attack. Magellan Health is unaware of any attempts to use that data but has advised affected individuals to be alert to the possibility of identity theft and misuse of their data.

Other individuals affected by the breach had the following information exposed, and potentially stolen, although data theft has not been confirmed: Treatment information, health insurance account information, member ID, other health-related information, email addresses, phone numbers, and physical addresses.  In certain instances, Social Security numbers were also affected.

Magellan Health is working closely with law enforcement and is aggressively investigating the breach and steps have already been taken to improve security to prevent similar breaches in the future. According to the sample breach notification letter submitted to the California Attorney General’s office, affected individuals have been offered a complimentary 3-year membership to Experian’s IdentityWorks identity theft detection and resolution service.

It is currently unclear exactly how many individuals have been affected by the breach, and it may be some time before the final total is ascertained. Currently there are several Magellan subsidiaries known to be affected. The protected health information of patients of several other healthcare providers was also exposed and potentially stolen in the attack.

Affected Entity Individuals Affected
Magellan Healthcare 50,410
Magellan Complete Care of Florida 76,236
Magellan Rx Pharmacy 33,040
Magellan Complete Care of Virginia 3,568
Merit Health Insurance Company 102,748
National Imaging Associates 22,560
University of Florida Jacksonville 54,002
University of Florida, Health Shands 13,146
University of Florida 9,182
Total 364,892

The ransomware attack comes just a few months after the company discovered some of its subsidiaries suffered phishing attacks. Magellan Rx Management, Magellan Healthcare, and National Imaging Associates were all affected. Announcements about the breaches were made in September and November 2019, with the phishing attacks allowing unauthorized individuals to gain access to employee email accounts in July 2019.  The emails in the compromised accounts contained the protected health information of 55,637 members.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On