Magellan Health, a Fortune 500 company, has revealed that it has suffered a ransomware attack during April that led to the encryption of files and theft of some employee data.
The ransomware attack was first discovered by Magellan Health on April 11, 2020 when files and databases were encrypted. The investigation into the attack showed the hacker had obtained access to its systems when someone replied to a spear phishing email on April 6. The hacker had tricked the employee by pretending to be a client of Magellan Health.
Magellan Health hired the cybersecurity firm Mandiant to help with the investigation into the breach, which showed that the cybercriminal had obtained access to a corporate server that included employee information and exfiltrated a subset of that data prior to the encryption of files. The hacker also installed malware that was used to steal login details.
The data stolen by the hacker was limited to current employees and included names, addresses, employee ID numbers, and W-2 and 1099 information, which included taxpayer IDs and Social Security numbers. A limited number of usernames and passwords were also stolen in the attack.
Magellan Health has not found any evidence of any attempts to use that data but has advised affected individuals to be alert to the possibility of identity theft and improper use of their data. Impacted individuals have been offered a free 3-year membership to Experian’s IdentityWorks identity theft detection and resolution service.
Magellan Health is assisting law enforcement and is aggressively investigating the breach. Steps have already been taken to enhance security to prevent similar breaches going forward.
It is currently not known how many individuals have been impacted by the breach.
The ransomware attack comes not long after the company discovered some of its subsidiaries experienced phishing attacks. Magellan Rx Management, Magellan Healthcare, and National Imaging Associates were all impacted by those attacks. Announcements about the breaches were released in September 2019 and November 2019. The attacks occurred in July 2019 and resulted in the exposure of the protected health information of 55,637 subscribers.