[BreachExchange] Hacker may have private information on nearly 44, 000 TennCare members after Magellan data breach

Mon Nov 11 09:59:38 EST 2019

https://www.tennessean.com/story/news/health/2019/11/08/tenncare-hacked-private-info-44-000-members-magellan-health-services/2534103001/

Compromised data includes names, social security numbers and TennCare member ID.
TennCare has known about the breach for two months

The private information of nearly 44,000 TennCare members may have
been stolen by a hacker who breached the email system of the agency’s
pharmacy management vendor, officials announced on Friday.

The private information that was potentially compromised includes
names, social security numbers, member IDs, health plans, provider
names and the names of drugs members have been prescribed.

Both TennCare and Magellan Health Systems have known about the risk
for two months, but did not announce the breach or tell affected
people until Friday.

When asked why TennCare waited to disclose the breach, TennCare
spokeswoman Sarah Tanksley said the agency worked to get a “full
understanding of the incident” and determine which members may have
been impacted.

“We have confidence in Magellan and this process,” Tanksley said in a
text message.

TennCare Director Gabe Roberts, right, presents the agency's budget to
Gov. Bill Lee during a hearing on Wednesday, Nov. 6, 2019. (Photo:
Tennessee state government video stream)

Tanksley said 43,847 people may have been affected by the breach.

The information was compromised because a Magellan employee fell for a
phishing scheme, allowing hackers to gain access to his email account,
which contained the members' information, according to a Magellan news
release.

Magallen said a third-party investigation “found no evidence” the
hacker who accessed company emails “actually accessed, viewed or
attempted to use" the members' information, but the company cannot
rule out that the information still may have been accessed.

As a result, the company is notifying impacted TennCare members and
offering credit monitoring services, the news release states.

“Magellan Health is committed to safeguarding the privacy and security
of health plan member information and takes this matter very
seriously,” the news release states. “The Company notified law
enforcement about this incident, implemented enhanced security and
authentication measures to further protect its email system, and is
updating mandatory training to help employees keep their computers
more secure.”

TennCare data breach timeline

The release states that the email breach occurred on May 28 and
Magellan discovered the breach on July 5. The company says it did not
determine TennCare data may have been accessed until Sept. 10, then
alerted the agency the following day.

Magellan spokespeople did not respond to voice messages or text
messages seeking comment.

According to the company news release, TennCare members who have
questions about the hack can call 833-959-1351 or visit the website
ide.myidcare.com/magellanhealthcare-nia-protect.

Magellan has worked for TennCare since at least 2013, when they signed
a three year, $35 million contract, according to a state government
news release.

As pharmacy benefits manager, Magellan processes all pharmacy
transactions, administers TennCare’s Preferred Drug List and
negotiates rebates and discounts with drug manufacturers, the release
states.