Data Stolen in Magellan Health Ransomware Attack


The Fortune 500 company Magellan Health has announced it experienced a ransomware attack in April that resulted in the encryption of files and theft of some employee information.

The ransomware attack was detected by Magellan Health on April 11, 2020 when files were encrypted on its systems. The investigation into the attack revealed the attacker had gained access to its systems following a response to a spear phishing email sent on April 6. The attacker had fooled the employee by impersonating a client of Magellan Health.

Magellan Health contracted the cybersecurity firm Mandiant to conduct the review into the breach, which revealed the attacker had gained access to a corporate server that contained employee information and stole a subset of that data prior to the encryption of files. The attacker also downloaded malware that was used to steal login credentials.

The data stolen by the hacker related to current employees and included names, addresses, employee ID numbers, and W-2 and 1099 information, which included taxpayer IDs and Social Security numbers. A limited number of usernames and passwords were also stolen in the attack.

gellan Health has not noticed any effort to use that data but has advised affected individuals to be alert to the possibility of identity theft and misuse of their data. Affected individuals have been offered a complimentary 3-year membership to Experian’s IdentityWorks identity theft detection and resolution service.

Magellan Health is working closely with law enforcement and is aggressively investigating the breach and steps have already been taken to improve security to prevent similar breaches in the future.

It is currently not known exactly how many individuals have been affected by the breach.

The ransomware attack comes just a few months after the company discovered some of its subsidiaries suffered phishing attacks. Magellan Rx Management, Magellan Healthcare, and National Imaging Associates were all affected. Announcements about the breaches were made in September and November 2019, with the phishing attacks allowing unauthorized individuals to gain access to employee email accounts in July 2019.  The emails in the compromised accounts contained the protected health information of 55,637 subscribers.