[BreachExchange] Geisinger Health Plan hit with breach after business associate targeted

Destry Winant destry at riskbasedsecurity.com
Tue Oct 29 10:00:31 EDT 2019


https://www.healthdatamanagement.com/news/geisinger-health-plan-hit-with-breach-after-business-associate-targeted

Geisinger Health Plan is notifying 5,848 members that their protected
health information may be compromised after a security incident at
Magellan National Imaging Associates, a vendor hired by the plan to
manage radiology benefits.

Magellan discovered on July 5 that the email account of an employee
had been sending out large amounts of spam email. An investigation
found several unauthorized mailbox authentications and connections
originating from outside the United States had been happening since
May.

Geisinger Health Plan believes unknown persons obtained the employee’s
email credentials through a phishing attack or other fraudulent
measures. Geisinger learned of the attack on September 24.

Magellan believes the intruder attempted to access the email account
solely to send out spam email with no intention of retrieving or
viewing member data. Nonetheless, Geisinger Health Plan says it is
treating the incident as a breach because it could not definitely
determine if any emails were accessed, viewed or downloaded.

In the aftermath, Magellan took steps to further secure all employee
email accounts by disabling certain email protocols on all mailbox
accounts, establishing relevant geofencing and implementing
Microsoft’s password hash synchronization and other measures. The
synchronization measure enables signing into certain services, such as
Office 365.

Breach notifications started coming out on October 18. Compromised
data included names, patient/client identification numbers, types of
service, authorization identifications and diagnoses.

“We worked closely with Magellan to make sure all affected members
were identified and properly notified,” says John Signorino, chief
privacy officer at Geisinger. "Although all evidence points to the
fact that the intruders only intended to issue spam emails, in an
abundance of caution we are offering all of our affected members one
year of credit monitoring services through Experian and encourage them
to sign up by following instructions in the letters they received.”

Geisinger no longer works with Magellan.

Ed Gaudet, CEO and founder of Censinet, which operates a cloud
platform for vendor risk management, says the process of managing
third-party risk in the health industry is inefficient, based on a
recent study by Ponemon Institute and Censinet that found managing
vendor risk costs $3.8 million per healthcare provider per year, and
breaches cost $2.9 million in hidden costs.

“Provider executives and board members must begin to implement
proactive, automated approaches to risk management, arming them with
ability to make dynamic, informed decisions in real-time, lower costs
and avoid data breaches such as this one,” Gaudet advises.


More information about the BreachExchange mailing list