Cyber Incident Victim: Magellan Health
Date:
May 2019
Location:
United States of America
Summary
Magellan Health subsidiaries experienced two unrelated phishing attacks compromising employee email accounts, potentially exposing protected health information of Presbyterian Health Plan members, including names, birth dates, member IDs, provider details, authorization data, service dates, billing codes, and some Social Security numbers. A separate phishing incident directly targeted the health plan, compromising additional employee accounts and potentially accessing clinical information and health plan details. While Magellan's investigation found no evidence of actual PHI access, both entities reported breaches affecting tens of thousands of individuals, secured impacted accounts, initiated reviews, and involved federal authorities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In May and June 2019, two phishing attacks impacted members of Presbyterian Health Plan through separate incidents involving Magellan Health subsidiaries and Presbyterian itself. Magellan Health disclosed on September 17, 2019, that two subsidiaries—National Imaging Associates (NIA) and Magellan Healthcare—experienced unauthorized access to employee email accounts on May 28 and June 6, 2019. These subsidiaries provided services to Presbyterian Health Plan, including imaging prior authorization. The attackers accessed two employee accounts handling member data, which Magellan attributed to a phishing scam aimed at sending spam emails. Exposed data included member names, dates of birth, member IDs, provider names, authorization details, service dates, billing codes, and Social Security numbers for a small subset. Magellan secured the compromised accounts, initiated an investigation of all email systems, and engaged a third-party expert. Their analysis found no evidence that protected health information was actually accessed or that other systems storing member/provider data were breached. Magellan Healthcare reported the incident affecting 55,958 individuals, while NIA reported 598 affected, as reflected in HHS breach records.
A separate phishing incident directly targeting Presbyterian Health Plan employees occurred around May 9, 2019, with discovery on June 6. Presbyterian reported this breach to HHS on August 2, 2019, noting impacts on 183,394 individuals. Unauthorized actors gained access via deceptive emails sent to workforce members, compromising accounts containing member names, dates of birth, Social Security numbers, clinical data, and health plan information. Presbyterian secured the affected accounts, reviewed email contents, and notified federal law enforcement. Both incidents—though unrelated and occurring weeks apart—highlighted phishing threats to healthcare entities. Magellan’s breach involved third-party service providers, while Presbyterian’s stemmed from direct employee targeting, collectively exposing sensitive data across nearly 240,000 individuals through email account compromises. No operational system intrusions beyond the email accounts were confirmed in either case.