[BreachExchange] 2 Phishing Attacks Affect Presbyterian Health Plan Members

Destry Winant destry at riskbasedsecurity.com
Fri Sep 20 10:02:45 EDT 2019


Phishing incidents have had a big impact on members of Albuquerque,
New Mexico-based Presbyterian Health Plan in recent weeks.

A phishing attack revealed this week by two subsidiaries of the
managed care company Magellan Health potentially exposed data of
members of the health plan. Earlier, Presbyterian reported it had been
directly targeted by a larger phishing incident (see: Health Data
Breach Tally: Latest Additions)

Although the two phishing campaigns both apparently occurred in May,
the attacks apparently were not related, according to spokeswomen for
Magellan Health and Presbyterian Health Plan.

Most Recent Incident

On Tuesday, Scottsdale, Arizona-based Magellan Health issued a
statement saying two of its subsidiaries - National Imaging Associates
and Magellan Healthcare - "discovered a potential data breach related
to protected health information belonging to members of Presbyterian
Health Plan."

The two subsidiaries provide certain services to the health plan. For
example, National Imaging Associates provides imaging prior
authorization services, a spokeswoman for Presbyterian Health Plan

In the statement, Magellan says that it found "an anonymous,
unauthorized third party accessed the email accounts of two employees
who handle member data for PHP. The unauthorized access occurred on
May 28 and June 6, 2019."

Megellan says it immediately secured both employee email accounts and
conducted an investigation of all employee email accounts and all
other systems. "We believe that the two impacted employees may have
been the target of a phishing scam and that the purpose of the
unauthorized access to the email accounts was to send out email spam,"
according to the company's statement.

As a result of the hacking incident, Presbyterian Health Plan member
protected health information may have been accessed, the statement
adds. Data potentially exposed included health plan member name, date
of birth, member ID, provider name, health benefit authorization
information, dates of service and billing codes. For a small number of
members, Social Security numbers also were exposed.

"A third-party expert assisted in our investigation, which found no
evidence that PHI has actually been accessed as a result of this
incident. We also found no compromise or unauthorized intrusion into
any of our other systems used to handle member or provider personal
information," the Magellan Health statement says.

The Department of Health and Human Services' HIPAA Breach Reporting
Tool website listing health data breaches impacting 500 or more
individuals, shows that Magellan Healthcare and NIA each on Tuesday
reported a hacking/IT incident involving email.

Magellan Healthcare reported its incident as impacting nearly 56,000
individuals, and NIA reported its incident as affecting about 600

Earlier Phishing Incident

The Magellan Health revelation comes on the heels of Presbyterian
Health Plan reporting to HHS a larger phishing incident directly
targeting some of its employees.

The HHS breach reporting website shows that on Aug. 2, Presbyterian
Health Plan reported a hacking/IT incident involving email and
affecting nearly 183,400 individuals.

In a statement issued in August, the health plan said that on June 6,
it discovered "anonymous, unauthorized access was gained through a
deceptive email to some of Presbyterian's workforce members sometime
around May 9."

Presbyterian Health Plan said it believes that the unauthorized access
to these email accounts "was part of a phishing scam trying to get
information." The compromised email accounts included health plan
member names and might have contained dates of birth, Social Security
numbers and clinical as well as health plan information, Presbyterian

Once the health plan became aware of this incident, it secured the
email accounts, began a review of the impacted emails and alerted
federal law enforcement, the statement notes.

Phishing Threats

The two incidents that affected Presbyterian Health Plan members show
just how pervasive phishing attacks are in the healthcare sector.

"Covered entities and business associates cannot over-communicate when
it comes to the sophistication of phishing attacks," says a privacy
and security consultant who asked not to be named.

"This one threat can jeopardize the very operational effectiveness of
a victimized entity. No organization is exempt from the damage that
can be done. Ongoing reminders and providing real examples might just
help the workforce pause - even if for a minute, before making a fatal

Phishing incidents have been at the center of some of the largest
healthcare data breaches reported so far this year.

That includes a spear-phishing attack in January on the Oregon
Department of Human Services targeting 2 million emails containing PHI
of 350,000 individuals.

A research study released earlier this year by security vendor
Proofpoint found that healthcare email fraud attack attempts increased
by 473 percent over the past two years.

More information about the BreachExchange mailing list