[BreachExchange] Third-Party Vendor Magellan Data Breach Impacts McLaren Health

Destry Winant destry at riskbasedsecurity.com
Thu Dec 5 10:11:55 EST 2019


December 04, 2019 - Third-party Magellan Health added Michigan-based
McLaren Health to the covered entities impacted by a phishing
attack-related breach, which already included Geisinger Health Plan,
Presbyterian Health, Florida Blue, and TennCare.

An employee of the vendor’s subsidiary Magellan Rx Management fell
victim to a phishing attack in May. But officials did not discover the
security incident until a few months later in July. A review
determined a hacker accessed an employee email account, but officials
said it appears the goal was to send out further malicious emails.

The compromised data varied by patient, but could include names,
contact information, health plan member identification numbers,
prescriptions, authorization information, dates of birth, provider
names, diagnoses, and health plans.

McLaren contracted with Magellan until December 31, 2018, and
officials were notified about the breach on October 4.

On September 17, Magellan reported the incident to the Department of
Health and Human Services as impacting 55,637 patients. Those patients
included those from Geisinger, TennCare, Presbyterian, Florida Blue,
and now McLaren.

It’s the second third-party vendor related breach for McLaren this
year. The Michigan provider was also among the long list of providers
impacted by the massive Wolverine Solutions Group breach, caused by a
ransomware attack in September 2018. More than 600,000 Michigan
residents were impacted, which spurred an investigation by the state’s
attorney general.


A further investigation into the Presbyterian Healthcare Services data
breach revealed more patients were potentially impacted during the
security incident, according to local news outlet Santa Fe New

Four months ago, Presbyterian notified 183,000 patients that their
data was potentially breached after several employees fell victim to
phishing attacks. The compromise lasted for about one month, and
included a trove of patient data including names, dates of birth,
Social Security numbers, health plan, and or clinical data.

Officials still stress that it does not appear the data was downloaded
or improperly used. However, during its continued investigation,
Presbyterian discovered more patients were potentially impacted by the
incident. About 275,000 patients began receiving notifications on
November 25.


An unspecified number of Nebraska Medical Center patients are being
notified that their data was accessed without authorization by an
employee, who has since been fired, according to local news outlet

During an internal audit of the electronic medical record system,
officials said they discovered an employee had accessed a number of
patient records between July and October. The compromised information
included names, addresses, Social Security numbers, medical test
results, dates of birth, and other sensitive information stored in the

They could not determine how many records were accessed. All impacted
patients will receive a year of free credit monitoring.

Insiders are the root cause of healthcare data breaches, according to
an Egress report from August. Privilege misuse and insider errors are
rampant in the sector, accounting for 81 percent of breaches, as noted
in Verizon’s annual Data Breach Investigations report.

“Effectively monitoring and flagging unusual and or inappropriate
access to data that is not necessary for valid business use or
required for patient care is a matter of real concern for this
vertical,” the researchers wrote at the time. “Across all industries,
internal actor breaches have been more difficult to detect, more often
taking years to detect than do those breaches involving external

NMC’s internal auditing allowed the health system to detect the
wrongdoing in a shorter amount of time.


Loudoun Medical Group’s Comprehensive Sleep Care Center (CSSC) in
Leesburg, Virginia is notifying some of its patients that their data
was potentially breached after an employee email hack in June.

On June 19, the LMG IT team discovered unusual activity on a CSSC
employee email account. The password was changed, and access blocked,
as the IT team launched an investigation. Working with third-party
forensic investigators, officials said they determined a hacker gained
access to a single email account between June 15 and June 19.

A review of the account lasted until October 17, which could account
for the near-six month delay in reporting the incident to patients.

The compromised data varied by patient and could include names, dates
of birth, Social Security numbers, driver’s licenses, passports,
medical record numbers, patient account numbers, payment card data,
financial account information, treatments, health insurance
information, medical history, and or dates of service.

CSCC has since implemented additional safeguards to bolster its
security and reported the breach to HHS.

More information about the BreachExchange mailing list