Magellan Health, a Fortune 500 company, has revealed that it has suffered a ransomware attack during April that led to the encryption of files and theft of some employee data.
The ransomware attack was first discovered by Magellan Health on April 11, 2020 when files were encrypted on its databases. The investigation into the attack showed the hacker had obtained access to its systems when someone replied to a spear phishing email on April 6. The hacker had tricked the employee by pretending to be a client of Magellan Health.
Magellan Health hired the cybersecurity firm Mandiant to help out with the investigation into the breach, which showed that the cybercriminal had obtained access to a corporate server that included employee information and exfiltrated a subset of that data prior to the encryption of files. The hacker also installed malware that was used to steal login details.
The data stolen by the hacker was linked to current employees and included names, addresses, employee ID numbers, and W-2 and 1099 information, which included taxpayer IDs and Social Security numbers. A limited number of usernames and passwords were also taken in the attack.
Magellan Health has not found any evidence of any attempts to use that data but has advised affected individuals to be alert to the possibility of identity theft and improper use of their data. Impacted individuals have been offered a free 3-year membership to Experian’s IdentityWorks identity theft detection and resolution service.
Magellan Health is assisting law enforcement and is aggressively investigating the breach and steps have already been taken to enhance security to prevent similar breaches going forward.
It is currently not known how many individuals have been impacted by the breach.
The ransomware attack comes not long after the company discovered some of its subsidiaries experienced phishing attacks. Magellan Rx Management, Magellan Healthcare, and National Imaging Associates were all impacted. Announcements about the breaches were released in September and November 2019, with the phishing attacks allowing unauthorized people to obtain access to staff email accounts in July 2019. The emails in the compromised accounts included the protected health information of 55,637 subscribers.