Incident Response, Email security, Vulnerability Management

Magellan Health settles for $1.43M after data breach, delayed notification

Share
One hundred dollar bills with Benjamin Franklin's profile are scattered in a pile.
Magellan Health agreed to a $1.43 million settlement for a 2019 data breach affecting 270,000 patients. ("Cash Money (part two)" by jtyerse is licensed under CC BY-NC-ND 2.0.)

Magellan Health has agreed to pay breach victims $1.43 million to resolve claims its allegedly inadequate security enabled an undetected phishing attack and subsequent patient data breach in 2019. Magellan is a third-party healthcare vendor that provides managed care services for health plans and other healthcare entities across the U.S.

The vendor continues to deny all claims of wrongdoing and “asserts there’s no evidence the third-party actor ever actually viewed any personally identifiable information or personal health information.” However, “further litigation would be protracted and expensive… and it’s desirable that the litigation be fully and finally settled.”

The statement highlights the ongoing reality of breach lawsuits in the healthcare sector, which have steadily risen in the last year despite the Supreme Court ruling that victims must show evidence of actual harm to pursue legal action.

The proposed settlement would resolve these claims and provide patients with cash settlements for out-of-pocket expenses. Individuals can claim up to $225 in ordinary out-of-pocket expenses, such as credit report costs, internet and phone charges, and $15 an hour for lost time, up to two hours.

Patients may also receive $2,500 for extraordinary costs for identity theft or other fraud tied to the incident, as well as three more hours of lost time at $15 an hour.

The final approval hearing is scheduled for December.

Magellan employee email compromised in 2019, leading to lawsuit

In October 2019, Geisinger Health was the first healthcare-covered entity to notify its patients that some of its health data was compromised due to the Magellan incident. Other Magellan clients were also impacted, including Florida Blue, Presbyterian Health, and TennCare.

Approximately 270,000 individuals were notified of the potential data compromise in the fall of 2019, including 44,000 patients of TennCare.

The notices revealed that an employee email account was compromised and used by the attacker to send troves of spam email. The incident was first detected on July 5, 2019, but the compromise began several months earlier in May of that same year.

During the undetected dwell time, the attacker was able to make mailbox authentications and connections that originated from outside the U.S. The investigators believed the hack likely began with a successful phishing attack or another fraudulent tactic, such as an employee inadvertently providing their credentials to the attacker.

The compromised data included patient names, Social Security numbers, health plans, provider names, prescriptions, identification numbers, types of service, diagnoses, and authorization IDs. It appeared the incident was designed solely for malicious means and not to obtain patient data, but Magellan could not rule out whether the actors accessed, viewed, or exfiltrated data.

The impacted patients swiftly filed a lawsuit against Magellan, taking particular issue with the timing of the detection and subsequent patient notifications. The lawsuit claimed the initial notices were sent to patients from Magellan on Nov. 8, 2019, despite the vendor first discovering the breach in July.

The lawsuit also took issue with Magellan’s failure to discover the incident for several months, and “that delay played into the thieves’ hands and made it more difficult for individuals… to take steps to stop the dissemination of their information to criminals around the world.”

Although the lawsuit notes that the actors have “already begun using the data to perpetrate their fraud, it does not detail those alleged fraudulent actions. At the time of the notice, Magellan asserted the forensics did not reveal whether the data was actually viewed.

Further, the patients claimed that the breach itself was a “direct result” of the vendor’s failure to implement adequate and reasonable cybersecurity procedures and protocols needed to effectively protect patient data. In doing so, “Magellan disregarded the rights of [patients]... by failing to take standard and reasonably available steps to prevent the data breach.”

Magellan was also accused of negligence and possible violations of the Health Insurance Portability and Accountability Act. But the vendor contested all claims and moved to dismiss the case several times for lack of standing and failure to state a claim where relief could be granted. But those efforts were denied on all grounds in May 2021.

Both 2019 and 2020 were rough years of cybersecurity for Magellan. In 2020, a separate incident became one of the largest healthcare data breaches of the year. A ransomware attack hit Magellan in April 2020, which affected eight of its affiliates and healthcare providers — and 365,000 patients.

Before the “sophisticated cyberattack” was deployed, the attackers first gained access through a social engineering phishing scheme that impersonated a Magellan client. The five day period of dwell time enabled the attacker to exfiltrate troves of patient data before deploying ransomware. The attack was contained to a single server.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.