Magellan Healthcare and National Imaging Services recently notified OCR of a HIPAA breach impacting 55,637 and 589 patients, respectively. The notification was made to OCR on September 17.
A press release issued by Magellan Health, Inc. for its subsidiaries, obtained by DataBreaches.net, reported that an anonymous, unauthorized third party accessed the email accounts of two employees who handle member data for Presbyterian Health Plan (PHP) in New Mexico.
The Company learned of one incident on July 5, 2019 in which unauthorized access to an employee’s email account occurred on May 28, 2019. The Company immediately secured the employee’s email account and conducted a thorough investigation of all email accounts and all other Magellan systems. On July 12, 2019 the investigation uncovered unauthorized access to the email account of a second employee on June 6, 2019. This email account was also immediately secured.
Magellan’s statement indicates that they believe that the purpose of the unauthorized access to the email accounts was to send out email spam, and that the employees had been targeted in a phishing attack.
As a result, member protected health information may potentially have been accessed. The affected email accounts included health care claims information such as health plan member name, date of birth, member ID, provider name, health benefit authorization information, date(s) of service, and billing codes. These email accounts also included the Social Security Number (SSN) of a small number of members and a number of providers who use their SSN as their Taxpayer Identification Number (TIN).
Although the company found no evidence that member data was actually accessed or exfiltrated, they are offering those affected complimentary credit monitoring protection.
In August, Presbyterian disclosed the breach, which reportedly affected more than 183,000 plan members. What is not clear at this point is whether the numbers Magellan and National Imaging Services reported to HHS as business associates are included in the 183,000 figure for Presbyterian or are separate and additional numbers.
Update: See also this coverage.