Victim Count in Magellan Ransomware Incident SoarsBreach Reports Show Growing Tally of Affiliates, Individuals Affected
The number of companies and individuals affected by an April ransomware attack on managed care provider Magellan Health continues to grow.
This illustrates the risks faced by interconnected organizations in the healthcare sector, some experts note.
"A health insurer not only has a lot of the same patient data that a provider may have, but they may have it for patients at hundreds or thousands of providers," says former healthcare CIO David Finn, executive vice president at privacy and security consulting firm CynergisTek.
The healthcare sector is dependent on a flow of information among business associates, providers, payers and government agencies, which creates risks, he notes. "Every exchange of data creates a new opportunity for attack," he says.
The Victim Tally
As of Tuesday, at least six Magellan affiliate companies, including health plans, plus three University of Florida-related entities that offer their employees Magellan health plans are listed on the Department of Health and Human Services HIPAA Breach Reporting Tool website as reporting breaches linked to the Magellan ransomware attack.
So far, the breach reports show the total number of individuals affected by the Magellan incident is more than 355,000. That makes the incident the third largest health data breach reported to HHS in 2020 so far.
The largest of those Magellan-related breach reports was filed by Illinois-based Merit Health Insurance Co., a unit of Magellan that on June 12 reported more than 102,700 individuals affected by the breach.
As of Tuesday, breach reports appearing on the HHS website known to be related to the Magellan ransomware attack also include:
- Magellan Complete Care of Florida, a health plan with 76,236 people affected;
- UF Health Jacksonville, a healthcare provider - 54,002;
- Magellan Healthcare, Maryland, a business associate - 50,410;
- Magellan Rx Pharmacy, Maryland, a healthcare provider - 33,040;
- National Imaging Associates of Maryland, a business associate - 22,560;
- UF Health Shands, a healthcare provider - 13,146;
- UF, a healthcare provider - 9,182;
- Magellan Complete Care of Virginia, a health plan - 3,568.
Impact on University of Florida
In a statement provided to Information Security Media Group, a University of Florida spokesman says: "UF Health was notified of a ransomware attack on Magellan Health, a HIPAA business associate of UF Health, that took place in April 2020, which may have impacted participants in our employee health plan. Under HIPAA, this is Magellan's breach to manage, and as such, Magellan is leading the response and working to mitigate the situation."
"A threat actor may view the compromise of one entity holding so much data as much more attractive than targeting each client organization based on the effort versus reward."
—Dustin Hutchison, Pondurance
Magellan did not immediately respond to an ISMG request for additional details.
Security incidents involving health insurers and managed care companies can affect a broad range of affiliates.
For instance, the 2015 cyberattack on health insurer Anthem that exposed data on nearly 79 million individuals affected a long list of related insurance firms and affiliates - including a variety of Blue Cross Blue Shield organizations, such as Empire Blue Cross Blue Shield in New York.
"Health insurers, particularly large ones like Magellan, are attractive targets for hackers because of the large volume of health and financial information they maintain and process on behalf of their insureds and affiliates," says Jon Moore, chief risk officer at security and privacy consultancy Clearwater. "Therefore, they see a large volume of attacks and, as we see here, it only takes one successful attack to impact a large number of individuals."
As an organization grows and becomes more complex, it's attack surface grows as well, Moore says. "It is highly likely that Magellan provides IT services to its affiliates, including processing and storing their insureds' financial and health information. Therefore, any breach is likely to also impact their affiliates' customers as well as their own."
Dustin Hutchison, president of security risk management consulting firm Pondurance, offers a similar assessment. "Any organization that is a hub of data for numerous entities increases the impact significantly because they are a single target," he says.
"The insurer's data is also the data of their clients and customers, so the downstream effect is magnified greatly. A threat actor may view the compromise of one entity holding so much data as much more attractive than targeting each client organization based on the effort versus reward."
Scottsdale, Arizona-based Magellan Health announced on May 12 that it discovered on April 11 that it was targeted by "a criminal ransomware attack" on its corporate network that resulted in a temporary systems outage and the exfiltration of confidential company and personal information of an undisclosed number of individuals.
"The unauthorized actor gained access to Magellan's systems after sending a phishing email on April 6 that impersonated a Magellan client," the company said.
In a breach notification statement issued on June 12, Magellan clarified that personal information potentially exposed included names and one or more of the following: treatment information, health insurance account information, member ID, other health-related information, email addresses, phone numbers, and physical addresses. In certain instances, Social Security numbers were also affected.
The company's May 12 statement noted that a third-party forensics investigation revealed that prior to the launch of the ransomware, "the unauthorized actor exfiltrated a subset of data from a single Magellan corporate server, which included some personal information. In limited instances, and only with respect to certain current employees, the unauthorized actor also used a piece of malware designed to steal login credentials and passwords."
The exfiltrated records include names, addresses, employee ID numbers, and W-2 or 1099 federal tax form details, such as Social Security numbers or taxpayer ID numbers, Magellan said. In some cases, it also may also include usernames and passwords.
Magellan says it has no evidence that any personal data has been misused.
"The increase in business email compromises and ransomware plus exfiltration and extortion, coupled with a largely work-from-home population, requires a thorough look at remote access controls and ongoing monitoring," says Hutchison of Pondurance.
Clearwater's Moore adds: "Email based attacks are devastating healthcare right now. "We recommend organizations conduct phishing assessments to identify those in their organization that require additional training. It is crucial that we are not merely relying on our staff but instead have additional controls in place such as anti-malware, DMARC and spam and virus checks."
All segments of the healthcare sector must step up their security efforts, adds CynergisTek's Finn.
"All organizations must build a culture of security and privacy and invest in the people, processes and tools to sustain that culture," he says. "While insiders are still the top threat vector in healthcare, third parties are a rapidly growing second place.
"The more 'connections' you share data with, the higher your risk. We must as an industry start looking at how we connect, what we share and how, and insist that our partners apply the same level of risk management to ... data as our own organization does."