Ransomware Attack on Magellan Health Results in Data Exfiltration

May 13, 2020 - Arizona-based Magellan Health is notifying an undisclosed number of its current employees that their data was compromised after threat actors first exfiltrated sensitive data, before deploying a ransomware attack in April.

On April 11, the Fortune 500 company discovered it had fallen victim to a ransomware attack. Hackers first gained access to the Magellan Health network five days earlier, through a social engineering phishing scheme that impersonated a Magellan client.

Upon discovery, an investigation was launched with assistance from a third-party cybersecurity forensics firm. Officials said they determined that before the ransomware payload was launched, the cybercriminals exfiltrated a subset of data from a single corporate server, which included personal data from some of its employees.

The exfiltrated data included names, contact information, employee ID numbers, and W-2 or 1099 information, including Social Security numbers or taxpayer identification numbers. The hackers also leveraged malware to steal login credentials and passwords to a certain number of current Magellan employees.

The incident was reported to law enforcement authorities, including the FBI, and officials said they are currently working closely with those agencies around its investigation. Magellan has since bolstered its security protocols for its network, email environment systems, and personal data.

The attack mirrors recent reports of a spike in double extortion attempts, where hackers first gain access to a network and lie in wait on the victim’s system, stealing data and gaining intel, before launching the final ransomware payload. Check Point and the FBI reported healthcare entities are a prime target for these sophisticated attacks, especially throughout the COVID-19 pandemic.

Saint Francis Healthcare Partners’ Reports “Sophisticated Cyberattack”

Saint Francis Healthcare Partners (SFHCP) in Connecticut reportedly fell victim to a “sophisticated cyberattack" in December, which potentially breached the data of about 38,529 patients.

First discovered on December 30, a hacker was able to gain access to some protected health information. However, the notification did not provide details on how access was obtained or where the compromise occurred.

Three months later on March 20, a forensic analysis revealed the extent of data involved in the incident that included patient names, medical histories, medical record numbers, clinical data, treatments, health insurance provider information, prescriptions, account numbers, diagnoses, dates of service, and a host of other sensitive information. Financial data and Social Security numbers were not impacted.

SFHCP officials said they are taking steps to enhance their data security practices.

Ransomware Attack on Florida Internal Medicine Provider

Daniel Bendetowicz, MD, an internal medicine provider based in Florida, fell victim to a ransomware attack in March, which potentially breached the data of about 3,314 patients.

The attack was launched on March 25, which encrypted the data on the practice’s computer systems, including protected health information. The provider was able to restore health records from its backup hard drives and did not pay the ransom.

The attack encrypted a host of patient information, including names, contact information, Social Security numbers, dates of birth, medical insurance details, and other related health information. Bendetowicz is continuing to bolster its security to prevent a repeat incident.

Successful ransomware attacks have declined throughout the COVID-19 pandemic, while the number of attempts have remained flat, according to data from Emsisoft. Just 25 providers have reported falling victim to successful ransomware attacks during the first quarter of 2020, with researchers expecting a resurgence.

Further, with the increase in double extortion attempts, providers should use this lull to look out for indicators of compromise.