In April 2020, the Fortune 500 firm Magellan Health experienced a ransomware attack that resulted in widespread file encryption. The investigation revealed the attackers had exfiltrated data prior to file encryption, as is now common in ransomware attacks.
The attack started with a spear phishing email on April 6, 2020 that impersonated a Magellan client. A response to the email gave the attackers the foothold in the network they needed to launch their attack. Malware was then installed which collected credentials that were used to gain access to a server, and five days after the initial attack, the ransomware payload was deployed. The compromised server contained patient data including personal information, treatment information, and health insurance details. The compromised server also included information on current employees, including the types of data typically sought by identity thieves.
In addition to Magellan Health, several of its affiliates and other healthcare providers were also impacted by the attack. The breach was reported to the HHS’ Office for Civil Rights by each entity affected. It is not clear whether all affected entities have now reported the breach, but currently nine entities are known to have been affected and the protected health information of at least 365,000 individuals was compromised in the attack. As such, it is the third largest healthcare data breach to be reported so far in 2020, behind the laptop theft at Health Share of Oregon (654,362 patients) and an improper disposal incident at Elkhart Emergency Physicians, Inc. (550,000 patients).
The following entities have now been confirmed as having been affected by the breach:
- Merit Health Plan – 102,748patients
- Magellan Complete Care of Florida – 76,236 patients
- University of Florida Health Jacksonville – 54,002 patients
- Magellan Healthcare (Maryland) – 50,410 patients
- Magellan Rx Pharmacy – 33,040 patients
- National Imaging Associates – 22,560 patients
- UF Health Shands– 13,146 patients
- UF Health – 9,182 patients
- Magellan Complete Care of Virginia – 3,668 patients
Magellan Health is facing at least one class action lawsuit over the attack. The lawsuit names three former Magellan Health employees whose sensitive information was stolen in the attack. The Fortune 500 firm may also face lawsuits from patients and health plan members affected by the breach.