HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Tens of Thousands of TennCare and Florida Blue Members Impacted Business Associate Phishing Attack

Further healthcare organizations have confirmed they have been affected by a data breach at Magellan Health National Imaging Associates, a business associate of several HIPAA-covered entities that provides managed pharmacy and radiology benefits services.

Danville, PA-based Geisinger Health Plan announced last month that 5,848 of its members had been affected by the breach and Albuquerque, NM-based Presbyterian Health Plan has confirmed that 56,226 of its members have been affected. In the past few days, health insurance company Florida Blue and the Tennessee state Medicaid program, TennCare, have made similar announcements.

The phishing attack occurred on May 28, 2019. Magellan Health NIA learned of the breach on July 5, 2019 and took action to secure the affected email account. The breach was detected when the compromised account was used to send out large quantities of spam email.

The internal investigation confirmed that the mailbox had been accessed on several occasions by an individual based outside the United States. The purpose of the attack appears to have been solely to use the email account to send out spam. No evidence was found to indicate protected health information had been accessed or stolen, but the possibility could not be discounted.

TennCare was advised it had been affected on September 11, a day after Magellan Health discovered it had been impacted. Magellan Health NIA notified Geisinger Health Plan about the breach on September 24, and Florida Blue was alerted on September 25.

Florida Blue has not yet disclosed exactly how many of its members have been affected, only stating that fewer than 1% of its 5 million members had their protected health information exposed. The information compromised in the attack was limited to name, date of birth, member ID number, health plan name, provider name, drug name, name of imaging procedures performed, benefit authorization outcome, and authorization number. Florida Blue is providing complimentary credit monitoring services to affected members.

TennCare has confirmed that 43,847 individuals were impacted by the breach. The information as potentially compromised included: names, member ID numbers, health plan information, provider names, names of prescribed medications, and Social Security numbers. TennCare has confirmed that members affected by the breach are being offered credit monitoring services as a precaution against misuse of their information.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.