Fortune 500 company Magellan Health Inc announced today that it was the victim of a ransomware attack on April 11, 2020, which led to the theft of personal information from one of its corporate servers.
Magellan’s customers include health plans and other managed care organizations, labor unions, employers, military and governmental agencies, as well as third-party administrators.
Attackers phished their way inside Magellan’s systems
“On April 11, 2020, Magellan discovered it was targeted by a ransomware attack. The unauthorized actor gained access to Magellan’s systems after sending a phishing email on April 6 that impersonated a Magellan client,” Magellan SVP & Chief Compliance Officer John J. DiBernardi Jr says in a breach notification notice filed with the office of the Attorney General of California.
Magellan retained the services of cybersecurity firm Mandiant immediately after discovering the incident to help with the investigation and reported the attack to law enforcement agencies.
As the investigation unveiled, the threat actors behind the ransomware attack were able to steal and exfiltrate “a subset of data from a single Magellan corporate server,” including sensitive personal information.
“In limited instances, and only with respect to certain current employees, the unauthorized actor also used a piece of malware designed to steal login credentials and passwords,” DiBernardi Jr added.
“The exfiltrated records include personal information such as name, address, employee ID number, and W-2 or 1099 details such as Social Security number or Taxpayer ID number and, in limited circumstances, may also include usernames and passwords.”
According to the notice letter sent to affected parties, Magellan is not aware of any fraud attempts or misuse of stolen personal information stolen during the attack.
Magellan Corporate Communications Vice President Ljiljana Ackley shared the following official statement:
Magellan Health was recently the target of a criminal ransomware attack on our company network, which resulted in a temporary systems outage and the exfiltration of certain confidential company and personal information. We are investigating the incident with forensic experts, notifying our customers, employees, impacted individuals, and appropriate government agencies, as applicable, and working with law enforcement authorities.
Unfortunately, these sorts of attacks are increasingly common. We take the safety, security, and reliability of our operations and services with the utmost seriousness. We have taken a number of additional measures to further strengthen our security policies and protocols. We are aggressively investigating this matter and will continue to provide updates to those impacted as the investigation continues.
Previous security incidents
Last year, Magellan also disclosed on September 17 and November 27 that Magellan Rx Management, National Imaging Associates, and Magellan Healthcare, three of its subsidiaries, were affected by potential data reaches following phishing attacks.
Magellan said that the attackers were able to gain access to employees’ email accounts on multiple dates, with the company discovering the incidents that exposed member protected health information on July 5 and July 12.
The compromised email accounts “contained information which may have included member’s name, date of birth, health plan member ID#, health plan, provider, diagnosis, drug, and authorization information,” according to Magellan.
In some cases, social security numbers (SSNs) were also exposed for members and providers who use them as taxpayer identification numbers (TIN).
The Company believes the employee may have been the target of a phishing scam and that the purpose of the unauthorized access to the email account was to send out email spam. – Magellan Health
“A third-party expert assisted in the investigation, which found no evidence that the hackers actually accessed, viewed or attempted to use the information in the employee’s email account,” Magellan added.
“It also found no compromise or unauthorized intrusion into any other Company systems containing member personal information.”
The information contained in this website is for general information purposes only. The information is gathered from Bleeping Computer, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk. Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.