National CSIRT-CY | National Computer Security Incident Response Team of Cyprus

Η Εθνική Ομάδα Αντιμετώπισης Ηλεκτρονικών Επιθέσεων προβλέπει την αύξηση της ηλεκτρονικής ασφαλείας ενισχύοντας την προστασία του κυβερνοχώρου των Εθνικών Κρίσιμων Πληροφοριακών Υποδομών, των τραπεζών και των παροχών επικοινωνίας της Κυπριακής Δημοκρατίας.

Healthcare giant Magellan Health hit by ransomware attack

13 Μαΐου 2020

Fortune 500 company Magellan Health Inc announced today that it was the victim of a ransomware attack on April 11, 2020, which led to the theft of personal information from one of its corporate servers.

Magellan Health is a for-profit managed health care and insurance firm that ranks 417 on the Fortune 500 list of the largest US corporations by total revenue.

Magellan’s customers include health plans and other managed care organizations, labor unions, employers, military and governmental agencies, as well as third-party administrators.

Attackers phished their way inside Magellan’s systems

“On April 11, 2020, Magellan discovered it was targeted by a ransomware attack. The unauthorized actor gained access to Magellan’s systems after sending a phishing email on April 6 that impersonated a Magellan client,” Magellan SVP & Chief Compliance Officer John J. DiBernardi Jr says in a breach notification notice filed with the office of the Attorney General of California.

Magellan retained the services of cybersecurity firm Mandiant immediately after discovering the incident to help with the investigation and reported the attack to law enforcement agencies.

As the investigation unveiled, the threat actors behind the ransomware attack were able to steal and exfiltrate “a subset of data from a single Magellan corporate server,” including sensitive personal information.

“In limited instances, and only with respect to certain current employees, the unauthorized actor also used a piece of malware designed to steal login credentials and passwords,” DiBernardi Jr added.

“The exfiltrated records include personal information such as name, address, employee ID number, and W-2 or 1099 details such as Social Security number or Taxpayer ID number and, in limited circumstances, may also include usernames and passwords.”

According to the notice letter sent to affected parties, Magellan is not aware of any fraud attempts or misuse of stolen personal information stolen during the attack.

Magellan Corporate Communications Vice President Ljiljana Ackley shared the following official statement:

Magellan Health was recently the target of a criminal ransomware attack on our company network, which resulted in a temporary systems outage and the exfiltration of certain confidential company and personal information. We are investigating the incident with forensic experts, notifying our customers, employees, impacted individuals, and appropriate government agencies, as applicable, and working with law enforcement authorities.

Unfortunately, these sorts of attacks are increasingly common. We take the safety, security, and reliability of our operations and services with the utmost seriousness. We have taken a number of additional measures to further strengthen our security policies and protocols. We are aggressively investigating this matter and will continue to provide updates to those impacted as the investigation continues.

Previous security incidents

Last year, Magellan also disclosed on September 17 and November 27 that Magellan Rx Management, National Imaging Associates, and Magellan Healthcare, three of its subsidiaries, were affected by potential data reaches following phishing attacks.

Magellan said that the attackers were able to gain access to employees’ email accounts on multiple dates, with the company discovering the incidents that exposed member protected health information on July 5 and July 12.

The compromised email accounts “contained information which may have included member’s name, date of birth, health plan member ID#, health plan, provider, diagnosis, drug, and authorization information,” according to Magellan.

In some cases, social security numbers (SSNs) were also exposed for members and providers who use them as taxpayer identification numbers (TIN).

The Company believes the employee may have been the target of a phishing scam and that the purpose of the unauthorized access to the email account was to send out email spam. – Magellan Health

“A third-party expert assisted in the investigation, which found no evidence that the hackers actually accessed, viewed or attempted to use the information in the employee’s email account,” Magellan added.

“It also found no compromise or unauthorized intrusion into any other Company systems containing member personal information.”

The information contained in this website is for general information purposes only. The information is gathered from Bleeping Computer, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.  Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

ENISA: Cyber threats require heightened defences

#CyberSecMonth 2017 - Cyber Security in the Home