2 Phishing Attacks Affect Presbyterian Health Plan MembersApparently Unrelated Attacks Potentially Expose Member Data
Phishing incidents have had a big impact on members of Albuquerque, New Mexico-based Presbyterian Health Plan in recent weeks.
A phishing attack revealed this week by two subsidiaries of the managed care company Magellan Health potentially exposed data of members of the health plan. Earlier, Presbyterian reported it had been directly targeted by a larger phishing incident (see: Health Data Breach Tally: Latest Additions)
Although the two phishing campaigns both apparently occurred in May, the attacks apparently were not related, according to spokeswomen for Magellan Health and Presbyterian Health Plan.
Most Recent Incident
On Tuesday, Scottsdale, Arizona-based Magellan Health issued a statement saying two of its subsidiaries - National Imaging Associates and Magellan Healthcare - "discovered a potential data breach related to protected health information belonging to members of Presbyterian Health Plan."
The two subsidiaries provide certain services to the health plan. For example, National Imaging Associates provides imaging prior authorization services, a spokeswoman for Presbyterian Health Plan says.
In the statement, Magellan says that it found "an anonymous, unauthorized third party accessed the email accounts of two employees who handle member data for PHP. The unauthorized access occurred on May 28 and June 6, 2019."
Megellan says it immediately secured both employee email accounts and conducted an investigation of all employee email accounts and all other systems. "We believe that the two impacted employees may have been the target of a phishing scam and that the purpose of the unauthorized access to the email accounts was to send out email spam," according to the company's statement.
As a result of the hacking incident, Presbyterian Health Plan member protected health information may have been accessed, the statement adds. Data potentially exposed included health plan member name, date of birth, member ID, provider name, health benefit authorization information, dates of service and billing codes. For a small number of members, Social Security numbers also were exposed.
"A third-party expert assisted in our investigation, which found no evidence that PHI has actually been accessed as a result of this incident. We also found no compromise or unauthorized intrusion into any of our other systems used to handle member or provider personal information," the Magellan Health statement says.
The Department of Health and Human Services' HIPAA Breach Reporting Tool website listing health data breaches impacting 500 or more individuals, shows that Magellan Healthcare and NIA each on Tuesday reported a hacking/IT incident involving email.
Magellan Healthcare reported its incident as impacting nearly 56,000 individuals, and NIA reported its incident as affecting about 600 individuals.
Earlier Phishing Incident
The Magellan Health revelation comes on the heels of Presbyterian Health Plan reporting to HHS a larger phishing incident directly targeting some of its employees.
The HHS breach reporting website shows that on Aug. 2, Presbyterian Health Plan reported a hacking/IT incident involving email and affecting nearly 183,400 individuals.
In a statement issued in August, the health plan said that on June 6, it discovered "anonymous, unauthorized access was gained through a deceptive email to some of Presbyterian's workforce members sometime around May 9."
Presbyterian Health Plan said it believes that the unauthorized access to these email accounts "was part of a phishing scam trying to get information." The compromised email accounts included health plan member names and might have contained dates of birth, Social Security numbers and clinical as well as health plan information, Presbyterian says.
Once the health plan became aware of this incident, it secured the email accounts, began a review of the impacted emails and alerted federal law enforcement, the statement notes.
The two incidents that affected Presbyterian Health Plan members show just how pervasive phishing attacks are in the healthcare sector.
"Covered entities and business associates cannot over-communicate when it comes to the sophistication of phishing attacks," says a privacy and security consultant who asked not to be named.
"This one threat can jeopardize the very operational effectiveness of a victimized entity. No organization is exempt from the damage that can be done. Ongoing reminders and providing real examples might just help the workforce pause - even if for a minute, before making a fatal click."
Phishing incidents have been at the center of some of the largest healthcare data breaches reported so far this year.
That includes a spear-phishing attack in January on the Oregon Department of Human Services targeting 2 million emails containing PHI of 350,000 individuals.
A research study released earlier this year by security vendor Proofpoint found that healthcare email fraud attack attempts increased by 473 percent over the past two years (see Phishing: Mitigating Risk, Minimizing Damage).