The April 2020 ransomware attack on Magellan Health is now posted on the HHS’ Office for Civil Rights breach portal. There were 6 Magellan entities affected, which already reported the incident individually. Some other entities also sent in breach reports to verify the impact on their patients and subscribers.
It is too soon to state exactly how many people were affected by the ransomware attack, nevertheless as of July 1, 2020, the total is higher than 364,000. Thus, this breach incident is right now the third largest healthcare data breach that is reported in 2020. Some entities may have not reported the breach yet.
The entities that have confirmed being impacted by the breach are detailed in the following below.
- Magellan Healthcare, Maryland – 50,410 individuals affected
- Magellan Complete Care of Florida – 76,236 individuals affected
- Magellan Rx Pharmacy – 33,040 individuals affected
- Magellan Complete Care of Virginia – 3,568 individuals affected
- Merit Health Insurance Company – 102,748 individuals affected
- National Imaging Associate – 22,560 individuals affected
- University of Florida Jacksonville – 54,002 individuals affected
- University of Florida, Health Shands – 13,146 individuals affected
- University of Florida – 9,182 individuals affected
- Total individuals affected were 364,892
A lot of healthcare ransomware attacks that have been reported in the past weeks used brute force attacks on remote desktop services or exploited VPN vulnerabilities. But this ransomware attack is different as it used spear phishing email that impersonated a Magellan client. The attacker sent the spear phishing email on April 6 and deployed the ransomware less than one week later.
In the substitute breach notification letter of Magellan sent to the California Attorney General’s Office, it was mentioned that the attacker downloaded malware that was meant to take login credentials and passwords, and get access to one of Magellan’s corporate server and stole worker details. The attackers stole data associated with present workers and included the following details: Address, employee ID number, and W-2 or 1099 details that include Social Security number or Taxpayer ID number. For some employees, the attacker also got their usernames and passwords.
The notice of security incident posted on the Magellan Health websites confirms that Magellan Health patients and its subsidiaries and affiliates were likewise impacted. The following types of data were exposed: Treatment data, health insurance account details, member ID, other data related to health, phone numbers, email addresses, and physical addresses. Social Security numbers were also affected in particular instances.
On the June 12, 2020 website notice, there is no mention made whether there was a theft of protected health information (PHI) in the attack. In all incidents, Magellan Health states there is no evidence uncovered to date that suggests the misuse of any patient or personnel information.