Magellan Health tapped cybersecurity firm Mandiant to investigate the ransomware attack, which determined the incident may have compromised personal data including names, treatment information and health insurance account information, as well as some Social Security numbers.
The firm also found that the hacker had exfiltrated some data from a corporate server before launching the ransomware. The hacker had gained access to Magellan Health's systems a few days earlier, April 6, after sending a phishing email impersonating one of the company's clients, the company wrote in May.
Magellan Health officials in the company's online notice said they have found no evidence to suggest the affected personal data has been misused.
The incident affected multiple Magellan entities, each of which needed to file its own report with OCR, a Magellan Health spokesperson wrote in an email.
The largest data breach reported in June associated with Magellan Health involved Merit Health Insurance Co., which disclosed that 102,748 patients had been affected.
The eight other organizations associated with Magellan Health that reported data breaches are Magellan Complete Care of Florida, UF Health Jacksonville, Magellan Healthcare, Magellan Rx Pharmacy, National Imaging Associates, UF Health Shands, University of Florida and Magellan Complete Care of Virginia.
A UF Health spokesperson said the ransomware attack at Magellan Health, a business associate of the health system, may have affected participants of its employee health plan.
"We at UF Health and the University of Florida take the privacy and security of our member information and our systems seriously," the spokesperson wrote in an emailed statement. "Under HIPAA, this is Magellan's breach to manage, and as such, Magellan is leading the response and working to mitigate the situation."
Providence Health Plan, part of Renton, Wash.-based Providence health system, reported a data breach in June affecting 49,511 individuals, also tied to a business associate. Providence Health Plan's data breach is separate from the incident at Magellan Health.
Zipari, a customer experience startup that develops technology for health insurers, on April 17 alerted Providence Health Plan about a coding error that exposed some of the plan's enrollment documents.—which were subsequently accessed by unauthorized individuals.
Zipari, after an analysis of the incident, determined the enrollment documents were "accessed by unauthorized IP addresses in May, September and November of 2019," according to a notice Providence Health Plan posted online.
The unsecured documents included information related to small employer group renewals, such as employer names, member names and member dates of birth. They did not contain medical history, health information, financial information or Social Security numbers.
Providence Health Plan in its notice said it is arranging a third-party audit of Zipari's data security practices
Hacking and IT incidents like those at entities affiliated with Magellan Health accounted for more than two-thirds of the 45 data breaches submitted to OCR in June. The remaining data breaches resulted from theft, loss, and unauthorized access or disclosure.
The number of patients affected in data breaches was down 78.4% from June of last year, when organizations reported 30 data breaches affecting nearly 3.5 million people.