56,226 Presbyterian Health Plan Members Impacted by Magellan Health Subsidiaries Phishing Attacks

The managed care company Magellan Health in Scottsville, AZScottsville, AZ found out that phishing attacks on two of its subsidiaries resulted in the exposure of the protected health information (PHI) of Presbyterian Health Plan members in Albuquerque, NM.

Two service providers to Presbyterian Health Plan, namely National Imaging Associates and Magellan Healthcare, experienced the phishing attacks. The Department of Health and Human Services’ Office for Civil Rights received reports of both incidents on September 17, 2019.

The National Imaging Associates discovered the incident on July 5 and affected 589 people and the Magellan Healthcare discovered the breach on July 12 and affected 55,637 people. Both breaches took place within a couple of days although they are not thought to be correlated.

The breach of two employees’ email accounts happened on May 28 and June 6, 2019. The two people managed the files associated to the health plan members. The investigation results showed that the purpose of the attack was to access email accounts and employ them to send spam email. There is no evidence uncovered that suggests the attackers accessed the emails in the accounts. There was also no report received that suggest the misuse of plan members’ data.

The information of people affected by the breach such as member’s name, member ID number, birth date, provider name, health benefit authorization data, date(s) of service, and billing codes were exposed. The Social Security number of some plan members were likewise exposed. No cost credit monitoring and identity theft protection services were offered to people whose Social Security number was exposed.

Because of the attacks, Magellan Health’s information security group has applied more authentication measures and bolstered email security. The company also enhanced its employee security awareness training program.

Presbyterian Health Plan members had a few bad months. Another targeted phishing attack hit the health plan and affected 183,400 plan members. Presbyterian Health Plan reported the incident to OCR in August. According to the investigation findings, the attackers were attempting to get sensitive information.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone