BreachExchange mailing list archives
Third-Party Vendor Magellan Data Breach Impacts McLaren Health
From: Destry Winant <destry () riskbasedsecurity com>
Date: Thu, 5 Dec 2019 09:11:55 -0600
https://healthitsecurity.com/news/third-party-vendor-magellan-data-breach-impacts-mclaren-health December 04, 2019 - Third-party Magellan Health added Michigan-based McLaren Health to the covered entities impacted by a phishing attack-related breach, which already included Geisinger Health Plan, Presbyterian Health, Florida Blue, and TennCare. An employee of the vendor’s subsidiary Magellan Rx Management fell victim to a phishing attack in May. But officials did not discover the security incident until a few months later in July. A review determined a hacker accessed an employee email account, but officials said it appears the goal was to send out further malicious emails. The compromised data varied by patient, but could include names, contact information, health plan member identification numbers, prescriptions, authorization information, dates of birth, provider names, diagnoses, and health plans. McLaren contracted with Magellan until December 31, 2018, and officials were notified about the breach on October 4. On September 17, Magellan reported the incident to the Department of Health and Human Services as impacting 55,637 patients. Those patients included those from Geisinger, TennCare, Presbyterian, Florida Blue, and now McLaren. It’s the second third-party vendor related breach for McLaren this year. The Michigan provider was also among the long list of providers impacted by the massive Wolverine Solutions Group breach, caused by a ransomware attack in September 2018. More than 600,000 Michigan residents were impacted, which spurred an investigation by the state’s attorney general. PRESBYTERIAN HEALTHCARE SERVICES EXPANDS BREACH IMPACT A further investigation into the Presbyterian Healthcare Services data breach revealed more patients were potentially impacted during the security incident, according to local news outlet Santa Fe New Mexican. Four months ago, Presbyterian notified 183,000 patients that their data was potentially breached after several employees fell victim to phishing attacks. The compromise lasted for about one month, and included a trove of patient data including names, dates of birth, Social Security numbers, health plan, and or clinical data. Officials still stress that it does not appear the data was downloaded or improperly used. However, during its continued investigation, Presbyterian discovered more patients were potentially impacted by the incident. About 275,000 patients began receiving notifications on November 25. INSIDER-WRONGDOING SPURS NEBRASKA MEDICAL BREACH NOTIFICATION An unspecified number of Nebraska Medical Center patients are being notified that their data was accessed without authorization by an employee, who has since been fired, according to local news outlet KMEG14. During an internal audit of the electronic medical record system, officials said they discovered an employee had accessed a number of patient records between July and October. The compromised information included names, addresses, Social Security numbers, medical test results, dates of birth, and other sensitive information stored in the EMR. They could not determine how many records were accessed. All impacted patients will receive a year of free credit monitoring. Insiders are the root cause of healthcare data breaches, according to an Egress report from August. Privilege misuse and insider errors are rampant in the sector, accounting for 81 percent of breaches, as noted in Verizon’s annual Data Breach Investigations report. “Effectively monitoring and flagging unusual and or inappropriate access to data that is not necessary for valid business use or required for patient care is a matter of real concern for this vertical,” the researchers wrote at the time. “Across all industries, internal actor breaches have been more difficult to detect, more often taking years to detect than do those breaches involving external actor.” NMC’s internal auditing allowed the health system to detect the wrongdoing in a shorter amount of time. LOUDOUN MEDICAL GROUP REPORTS JUNE 2019 EMAIL HACK Loudoun Medical Group’s Comprehensive Sleep Care Center (CSSC) in Leesburg, Virginia is notifying some of its patients that their data was potentially breached after an employee email hack in June. On June 19, the LMG IT team discovered unusual activity on a CSSC employee email account. The password was changed, and access blocked, as the IT team launched an investigation. Working with third-party forensic investigators, officials said they determined a hacker gained access to a single email account between June 15 and June 19. A review of the account lasted until October 17, which could account for the near-six month delay in reporting the incident to patients. The compromised data varied by patient and could include names, dates of birth, Social Security numbers, driver’s licenses, passports, medical record numbers, patient account numbers, payment card data, financial account information, treatments, health insurance information, medical history, and or dates of service. CSCC has since implemented additional safeguards to bolster its security and reported the breach to HHS. _______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- Third-Party Vendor Magellan Data Breach Impacts McLaren Health Destry Winant (Dec 05)