Logins, personal information and tax info were all exfiltrated ahead of the ransomware attack, thanks to a phishing email.


Magellan Health, the Fortune 500 insurance company, has reported a ransomware attack and a data breach.

The company, which says it “empowers 1 in 10 Americans to lead healthier, more vibrant lives” according to its website, said the incident was discovered on April 11. It also said that it became apparent during a forensic investigation that the ransomware attack was the final stage in a longer campaign.

“The unauthorized actor gained access to Magellan’s systems after sending a phishing email on April 6 that impersonated a Magellan client,” according to a letter sent to victims and filed with the State of California. “Once the incident was discovered, Magellan immediately retained a leading cybersecurity forensics firm, Mandiant, to help conduct a thorough investigation of the incident. The investigation revealed that prior to the launch of the ransomware, the unauthorized actor exfiltrated a subset of data from a single Magellan corporate server, which included some of your personal information.”

Phishing emails are used in over 92 percent of all data breaches, and healthcare is the No. 1 target for hackers, according to Colin Bastable, CEO of security awareness training company Lucy Security. “Ransomware attacks are incredibly disruptive and expensive to mitigate, and with so many staff working remotely all organizations are highly vulnerable,” he said via email. “One wonders if tokenization might have been effective in preventing the hackers from stealing viable data. Today, everyone who has not been hacked should thank their lucky stars and train their employees to spot and report phishing emails. Up to 30 percent of untrained employees will fall for such a phishing email.”

The data breach portion of the proceedings only affected “some” current employees, according to Magellan, with the data thieves making off with login credentials and passwords, as well as personal information such as names, addresses and employee ID numbers. Some W-2 or 1099 details such as Social Security numbers or Taxpayer ID numbers were also lifted.

The company has 10,500 employees, but it didn’t say what portion were affected – Threatpost reached out for clarification on that point, as well as the strain of ransomware involved and whether the company paid the ransom. The company returned the following statement:

“Magellan Health was recently the target of a criminal ransomware attack on our company network, which resulted in a temporary systems outage and the exfiltration of certain confidential company and personal information. We are investigating the incident with forensic experts, notifying our customers, employees, impacted individuals, and appropriate government agencies, as applicable, and working with law enforcement authorities.

Unfortunately, these sorts of attacks are increasingly common. We take the safety, security, and reliability of our operations and services with the utmost seriousness. We have taken a number of additional measures to further strengthen our security policies and protocols. We are aggressively investigating this matter and will continue to provide updates to those impacted as the investigation continues.”

The infamous Maze ransomware group and others said that they would back off amidst the coronavirus pandemic – before coming back in that sector with a vengeance. Overall, healthcare organizations of all stripes continue to be attacked.

For instance, in April, the Clop ransomware group attacked biopharmaceutical company ExecuPharm and leaked “select corporate and personnel information” on underground forums in what’s known as a double-extortion attack. ExecuPharm, a Pennsylvania-based subsidiary of the U.S. biopharmaceutical giant Parexel, provides clinical trial management tools for biopharmaceutical companies. The attack was initiated through phishing emails that were sent to ExecuPharm employees.

“As expected, the purported ceasefire on healthcare providers by ransomware operators has proven short-lived,” said David Jemmett, CEO and founder, Cerberus Sentinel, via email. “Rather than being rooted in any sort of altruism, the attackers were simply waiting for the optimum time to strike: With Magellan under immense strain as it attempted to meet the demands onset by the COVID-19 pandemic. Following the high-profile attack on Fresenius, this should act as another lesson to other healthcare providers and industries in the States and across the globe.”