[BreachExchange] Victim Count in Magellan Ransomware Incident Soars

[Destry Winant]

https://www.databreachtoday.com/victim-count-in-magellan-ransomware-incident-soars-a-14532

The number of companies and individuals affected by an April
ransomware attack on managed care provider Magellan Health continues
to grow.

This illustrates the risks faced by interconnected organizations in
the healthcare sector, some experts note.

"A health insurer not only has a lot of the same patient data that a
provider may have, but they may have it for patients at hundreds or
thousands of providers," says former healthcare CIO David Finn,
executive vice president at privacy and security consulting firm
CynergisTek.

The healthcare sector is dependent on a flow of information among
business associates, providers, payers and government agencies, which
creates risks, he notes. "Every exchange of data creates a new
opportunity for attack," he says.

The Victim Tally

As of Tuesday, at least six Magellan affiliate companies, including
health plans, plus three University of Florida-related entities that
offer their employees Magellan health plans are listed on the
Department of Health and Human Services HIPAA Breach Reporting Tool
website as reporting breaches linked to the Magellan ransomware
attack.

So far, the breach reports show the total number of individuals
affected by the Magellan incident is more than 355,000. That makes the
incident the third largest health data breach reported to HHS in 2020
so far.

The largest of those Magellan-related breach reports was filed by
Illinois-based Merit Health Insurance Co., a unit of Magellan that on
June 12 reported more than 102,700 individuals affected by the breach.

As of Tuesday, breach reports appearing on the HHS website known to be
related to the Magellan ransomware attack also include:

Magellan Complete Care of Florida, a health plan with 76,236 people affected;
UF Health Jacksonville, a healthcare provider - 54,002;
Magellan Healthcare, Maryland, a business associate - 50,410;
Magellan Rx Pharmacy, Maryland, a healthcare provider - 33,040;
National Imaging Associates of Maryland, a business associate - 22,560;
UF Health Shands, a healthcare provider - 13,146;
UF, a healthcare provider - 9,182;
Magellan Complete Care of Virginia, a health plan - 3,568.

Impact on University of Florida

In a statement provided to Information Security Media Group, a
University of Florida spokesman says: "UF Health was notified of a
ransomware attack on Magellan Health, a HIPAA business associate of UF
Health, that took place in April 2020, which may have impacted
participants in our employee health plan. Under HIPAA, this is
Magellan's breach to manage, and as such, Magellan is leading the
response and working to mitigate the situation."

"A threat actor may view the compromise of one entity holding so much
data as much more attractive than targeting each client organization
based on the effort versus reward."
—Dustin Hutchison, Pondurance

Magellan did not immediately respond to an ISMG request for additional details.

Tangled Risks

Security incidents involving health insurers and managed care
companies can affect a broad range of affiliates.

For instance, the 2015 cyberattack on health insurer Anthem that
exposed data on nearly 79 million individuals affected a long list of
related insurance firms and affiliates - including a variety of Blue
Cross Blue Shield organizations, such as Empire Blue Cross Blue Shield
in New York.

"Health insurers, particularly large ones like Magellan, are
attractive targets for hackers because of the large volume of health
and financial information they maintain and process on behalf of their
insureds and affiliates," says Jon Moore, chief risk officer at
security and privacy consultancy Clearwater. "Therefore, they see a
large volume of attacks and, as we see here, it only takes one
successful attack to impact a large number of individuals."

As an organization grows and becomes more complex, it's attack surface
grows as well, Moore says. "It is highly likely that Magellan provides
IT services to its affiliates, including processing and storing their
insureds' financial and health information. Therefore, any breach is
likely to also impact their affiliates' customers as well as their
own."

Dustin Hutchison, president of security risk management consulting
firm Pondurance, offers a similar assessment. "Any organization that
is a hub of data for numerous entities increases the impact
significantly because they are a single target," he says.

"The insurer's data is also the data of their clients and customers,
so the downstream effect is magnified greatly. A threat actor may view
the compromise of one entity holding so much data as much more
attractive than targeting each client organization based on the effort
versus reward."

Magellan Breach

Scottsdale, Arizona-based Magellan Health announced on May 12 that it
discovered on April 11 that it was targeted by "a criminal ransomware
attack" on its corporate network that resulted in a temporary systems
outage and the exfiltration of confidential company and personal
information of an undisclosed number of individuals.

"The unauthorized actor gained access to Magellan's systems after
sending a phishing email on April 6 that impersonated a Magellan
client," the company said.

In a breach notification statement issued on June 12, Magellan
clarified that personal information potentially exposed included names
and one or more of the following: treatment information, health
insurance account information, member ID, other health-related
information, email addresses, phone numbers, and physical addresses.
In certain instances, Social Security numbers were also affected.

The company's May 12 statement noted that a third-party forensics
investigation revealed that prior to the launch of the ransomware,
"the unauthorized actor exfiltrated a subset of data from a single
Magellan corporate server, which included some personal information.
In limited instances, and only with respect to certain current
employees, the unauthorized actor also used a piece of malware
designed to steal login credentials and passwords."

The exfiltrated records include names, addresses, employee ID numbers,
and W-2 or 1099 federal tax form details, such as Social Security
numbers or taxpayer ID numbers, Magellan said. In some cases, it also
may also include usernames and passwords.

Magellan says it has no evidence that any personal data has been misused.

Taking Action

"The increase in business email compromises and ransomware plus
exfiltration and extortion, coupled with a largely work-from-home
population, requires a thorough look at remote access controls and
ongoing monitoring," says Hutchison of Pondurance.

Clearwater's Moore adds: "Email based attacks are devastating
healthcare right now. "We recommend organizations conduct phishing
assessments to identify those in their organization that require
additional training. It is crucial that we are not merely relying on
our staff but instead have additional controls in place such as
anti-malware, DMARC and spam and virus checks."

All segments of the healthcare sector must step up their security
efforts, adds CynergisTek's Finn.

"All organizations must build a culture of security and privacy and
invest in the people, processes and tools to sustain that culture," he
says. "While insiders are still the top threat vector in healthcare,
third parties are a rapidly growing second place.

"The more 'connections' you share data with, the higher your risk. We
must as an industry start looking at how we connect, what we share and
how, and insist that our partners apply the same level of risk
management to ... data as our own organization does."