Cyber Incident Victim: Magellan Health
Date:
Apr 2020
Location:
United States of America
Summary
A ransomware attack compromised a healthcare organization after threat actors gained access via a phishing email impersonating a client, leading to data exfiltration from a corporate server. The stolen information included personal details such as names, addresses, employee IDs, Social Security numbers, and tax documents, with malware also capturing login credentials for some current employees. The company engaged cybersecurity experts, notified affected individuals and authorities, and implemented enhanced security measures, though no fraud or misuse of the stolen data was identified. This incident followed prior phishing attacks targeting subsidiaries, which exposed health plan details and Social Security numbers but showed no evidence of unauthorized data access or system intrusion beyond compromised email accounts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On April 6, 2020, attackers impersonating a Magellan Health client sent a phishing email that compromised the Fortune 500 healthcare company’s systems. Five days later, on April 11, Magellan discovered it had been targeted by a ransomware attack, triggering an immediate response that included engaging cybersecurity firm Mandiant for forensic investigation and notifying law enforcement agencies. The investigation revealed the threat actors exfiltrated a subset of data from a single corporate server, containing personal information such as names, addresses, employee ID numbers, Social Security numbers, Taxpayer ID numbers, and W-2 or 1099 details. In limited cases involving current employees, attackers deployed credential-stealing malware to harvest usernames and passwords. The incident caused a temporary systems outage but did not disrupt Magellan’s clinical operations or customer-facing platforms. Magellan notified affected individuals, customers, employees, and government agencies, though the company stated it had no evidence of fraud or misuse of the stolen data.
This marked Magellan’s second major cybersecurity incident within a year. Between September and November 2019, three subsidiaries—Magellan Rx Management, National Imaging Associates, and Magellan Healthcare—disclosed unauthorized access to employee email accounts via phishing attacks occurring on multiple dates, discovered on July 5 and July 12, 2019. Those breaches exposed protected health information including member names, birth dates, health plan IDs, provider details, diagnoses, drug information, and authorization data, with some Social Security numbers compromised when used as taxpayer IDs. A third-party forensic investigation found no evidence the attackers accessed, viewed, or misused the email account contents, nor did they penetrate broader company systems containing member data. Magellan attributed the 2019 email breaches to spam-oriented phishing targeting employees. Following the 2020 ransomware attack, the company implemented additional security policy and protocol enhancements while continuing to cooperate with law enforcement investigations.