Some breaches dribble out over time, especially when they involve a business associate. This time, it’s Magellan Healthcare, Inc.
On September 17, Magellan Healthcare, Inc. notified HHS after an employee of Magellan Rx Management fell prey to a phishing attack in May that was discovered July 5. Analysis of the contents of the employee’s email account determined that the breach potentially impacted 55,637 patients.
But whose patients?
Geisinger Health Plan disclosed in October that they were one of Magellan Healthcare’s impacted clients, with 5,848 of their patients impacted.
On November 8, we learned that almost 44,000 TennCare members were impacted.
And on November 29, McLaren Health Plan disclosed that they, too were impacted. They were notified by Magellan on October 4. McLaren had contracted with Magellan through December 31, 2018.
It was not a great year for McLaren, as this was the second business associate breach impacting their plan members. The first was the ransomware attack affecting Wolverine Solutions.
Update: Magellan was asked to clarify whether the 55k figure was the grand total for the incident and whether it included the numbers for TennCare, McLaren, and Geisinger. They were also asked whether they had issued any statement that identified all the covered entities impacted.
They declined to answer any of the questions. In response to the first question, spokesperson Kristen Durocher wrote:
We are not at liberty to share such plan-specific information without the approval of the impacted health plan. The number of health plans impacted in the security incident represents a very small percentage of Magellan’s total business.