kras99 - stock.adobe.com

Magellan Health Data Breach Victim Tally Reaches 365K Patients

The tally of breach victims impacted by an April ransomware attack on Magellan Health has been reported to HHS as impacting over 365,000 patients; member portal breaches and another ransomware attack complete this week’s breach roundup.

The extent of the ransomware attack that hit Arizona-based Magellan Health in April became clear this week, with eight Magellan Health affiliates and healthcare providers reporting breaches stemming from the incident to the Department of Health and Human Services. The breach reporting tools shows about 365,000 patients were affected. 

In April, the Fortune 500 company was reportedly the victim of a sophisticated cyberattack, in which hackers first exfiltrated data before deploying the ransomware payload. By leveraging a social engineering phishing scheme that impersonated a Magellan client, the attackers were able to gain access to the system five days before the ransomware attack. 

The investigation determined hackers first installed malware able to steal employee credentials and passwords to gain access to the affected server. Patient data was also compromised in the event, including health-related information such as health insurance account data and treatment information.

The attack was contained to a single corporate server, which compromised the data of current employees and a trove of sensitive patient data, from Social Security numbers and W-2 information, to taxpayer identification and employee ID numbers. 

At the time of initial report, it was currently unclear just how many of its clients or affiliates would be affected. The HHS breach reporting tools now includes a tally of its victims from some healthcare providers and its affiliate organizations. 

Specifically, Magellan-affiliate Merit Health Plan (102,748 patients), Magellan Complete Care of Florida (76,236 patients), the University of Florida Health Jacksonville (54,002 patients), Magellan Healthcare in Maryland (50,410 patients), Magellan Rx Pharmacy (33,040 patients), Magellan-affiliate National Imaging Associates (22,560 patients), UF Health Shands (13,146 patients), UF Health (9,182 patients), and Magellan Complete Care of Virginia (3,668 patients).

With its tally of 365,000 breach victims, the Magellan incident is the third-largest reported healthcare data breach in 2020, so far.

Notably, this was the second breach reported by the third-party vendor in the last year. A 2019 phishing incident lat Magellan lasted for more than a month and affected Florida Blue, TennCare, Geisinger Health Plan, Presbyterian Health, and McLaren Health.

2 Health Insurance Companies Report Hack of Member Portals

Independence Blue Cross and AmeriHealth New Jersey both reported suspected hacks of their member portals, caused by credential reuse. 

The notifications from the insurance companies are nearly identical. On May 8, officials said they discovered that certain member information may have been accessible for unauthorized viewing through the relevant member portals. 

An investigation was launched to determine the scope of the incident, which found some plan members used the same password credentials across multiple websites. The impacted credentials were stolen during the 2018 compromise of the MyFitnessPal application. 

As a result, hackers were able to use the stolen credentials to gain access to certain pages within the member portals. For both insurance companies, the access continued from March 17 through April 30, 2020. 

The data compromised during the hacks included information related to the affected members, such as names, member identification numbers, plan types, spending account balances, user reward summaries, and claims data. No Social Security numbers, financial data, or credit cards were impacted.

All patients will receive two years of free credit monitoring. Both insurers have since taken steps to ensure the security of member portals, while reviewing company policies and procedures and implementing additional controls to prevent future incidents. 

Password reuse is a common security mistake, with the Department of Homeland Security recently warning that hackers are compromising Virtual Private Networks (VPNs) with stolen credentials. The attacks are highly successful, given the frequency of users failing to update passwords after a known breach or reusing passwords across different platforms. 

Ransomware Attack on Healthcare Fiscal Management Impacts 58K

Nearly two months after Maze ransomware hackers claimed to have posted data stolen from Healthcare Fiscal Management on the dark web, the revenue cycle management company has confirmed an April breach to HHS. 

In total, 58,000 patients are being notified that their data was breached during the incident. 

The hacking group posted a zip file with data allegedly stolen from HFM during a ransomware attack in April. The recent breach notification explained the cyberattack impacted St. Mary’s Health Care System patients who visited the Athens, Georgia provider between November 2019 through April 2020.

The notice did not confirm the breach was tied to Maze. 

The ransomware attack was first discovered by HFM on April 13, which impacted portions of its server and data infrastructure. The systems were taken offline, and HFM moved to restore the servers using a new hosting vendor with heightened security tools and monitoring. 

An investigation was launched with assistance from an outside forensics firm, which found the hackers first accessed the server on April 12 before the ransomware was launched the next day. As a result, the attackers were able to access or acquire patient data, including Social Security numbers, dates of birth, protected health information, medical record numbers, and a host of other personal information. 

HFM was able to restore security and services on the same day the attack was discovered using backs and other information maintained by the vendor. The forensics team was able to determine the data “is no longer in possession of third-parties or accessible via the internet.” 

The vendor is continuing to strengthen its security program and has offered impacted patients a year of credit monitoring and identity theft protection services. 

Next Steps

Dig Deeper on Healthcare data breaches