Magellan Health is a managed care provider based in Arizona. Recently, Magellan Health discovered that two of its subsidiaries suffered phishing attacks. The phishing attacks have exposed the protected health information (PHI) of members of Presbyterianan Health Plan.
The subsidiaries that experienced the phishing attacks were National Imaging Associates and Magellan Health Care. Both of these entities provide services to Presbyterian Health Plan.
Phishing Attacks Not Believed to be Related
The phishing attack at National Imaging Association was discovered in July and affected approximately 600 individuals. The phishing attack at Magellan Healthcare was discovered a week later and is much larger in scope. The Magellan breach, discovered on July 12, has affected almost 56,000 individuals. The phishing attacks are not believed to be related to each other.
Investigation has revealed that the email accounts of two employees were breached – on May 28 and June 6 of this year. Each employee’s job duties included handling of plan member protected health information (PHI). Investigation further revealed the purpose of the attack was to compromise the integrity of the email accounts so the accounts could then be used for distribution of spam messages.
To date, no evidence exists that any particular account emails were accessed. In addition, there is no evidence to date suggesting plan members’ health data has been misused.
The information that was exposed by the phishing attacks includes:
- Plan member names and ID numbers
- Dates of birth
- Dates of service
- Information relating to benefits authorization
Investigation has revealed that the Social Security numbers of a limited number of plan members were exposed.
These two incidents come on the heels of another phishing attack targeted at Presbyterian Health Plan members. That attack, reported to OCR in August, prompted an investigation, which concluded the hackers were trying to obtain sensitive information.
As a result of the July attacks, Magellan Health has implemented additional data security measures. These measures include enhanced authentication, email security, and employee security awareness training program measures.
Secretary of Health and Human Services Posts Breaches on OCR Website
Under the HITECH Act, HHS, through its enforcement arm, the Office for Civil Rights (OCR), must post breaches of unsecured protected health information affecting 500 or more individuals online. Both of the breaches discovered in July have been posted on the OCR website, since in each instance, more than 500 individuals have been affected. The breaches are currently being investigated by OCR.