Magellan Health, the Fortune 500 insurance company, has reported a ransomware attack and a data breach.
The company, which says it “empowers 1 in 10 Americans to lead healthier, more vibrant lives” according to its website, said the incident was discovered on April 11. It also said that it became apparent during a forensic investigation that the ransomware attack was the final stage in a longer campaign.
“The unauthorized actor gained access to Magellan’s systems after sending a phishing email on April 6 that impersonated a Magellan client,” according to a letter sent to victims and filed with the State of California. “Once the incident was discovered, Magellan immediately retained a leading cybersecurity forensics firm, Mandiant, to help conduct a thorough investigation of the incident. The investigation revealed that prior to the launch of the ransomware, the unauthorized actor exfiltrated a subset of data from a single Magellan corporate server, which included some of your personal information.”
Phishing emails are used in over 92 percent of all data breaches, and healthcare is the No. 1 target for hackers, according to Colin Bastable, CEO of security awareness training company Lucy Security. “Ransomware attacks are incredibly disruptive and expensive to mitigate, and with so many staff working remotely all organizations are highly vulnerable,” he said via email. “One wonders if tokenization might have been effective in preventing the hackers from stealing viable data. Today, everyone who has not been hacked should thank their lucky stars and train their employees to spot and report phishing emails. Up to 30 percent of untrained employees will fall for such a phishing email.”
The data breach portion of the proceedings only affected “some” current employees, according to Magellan, with the data thieves making off with login credentials and passwords, as well as personal information such as names, addresses and employee ID numbers. Some W-2 or 1099 details such as Social Security numbers or Taxpayer ID numbers were also lifted.
The company has 10,500 employees, but it didn’t say what portion were affected – Threatpost has reached out for clarification on that point, as well as the strain of ransomware involved and whether the company paid the ransom.
In response to the incident, Magellan has “implemented additional security protocols designed to protect our network, email environment, systems, and personal information,” it said, and is offering credit protection to those affected.
The infamous Maze ransomware group and others said that they would back off amidst the coronavirus pandemic – before coming back in that sector with a vengeance. Overall, healthcare organizations of all stripes continue to be attacked.
For instance, in April, the Clop ransomware group attacked biopharmaceutical company ExecuPharm and leaked “select corporate and personnel information” on underground forums in what’s known as a double-extortion attack. ExecuPharm, a Pennsylvania-based subsidiary of the U.S. biopharmaceutical giant Parexel, provides clinical trial management tools for biopharmaceutical companies. The attack was initiated through phishing emails that were sent to ExecuPharm employees.
“As expected, the purported ceasefire on healthcare providers by ransomware operators has proven short-lived,” said David Jemmett, CEO and founder, Cerberus Sentinel, via email. “Rather than being rooted in any sort of altruism, the attackers were simply waiting for the optimum time to strike: With Magellan under immense strain as it attempted to meet the demands onset by the COVID-19 pandemic. Following the high-profile attack on Fresenius, this should act as another lesson to other healthcare providers and industries in the States and across the globe.”
Inbox security is your best defense against today’s fastest growing security threat – phishing and Business Email Compromise attacks. On May 13 at 2 p.m. ET, join Valimail security experts and Threatpost for a FREE webinar, 5 Proven Strategies to Prevent Email Compromise. Get exclusive insights and advanced takeaways on how to lockdown your inbox to fend off the latest phishing and BEC assaults. Please register here for this sponsored webinar.
Also, don’t miss our latest on-demand webinar from DivvyCloud and Threatpost, A Practical Guide to Securing the Cloud in the Face of Crisis, with critical, advanced takeaways on how to avoid cloud disruption and chaos.