GlobalSign Blog

Cyber Autopsy Series: Phishing Attack on Magellan Health

Cyber Autopsy Series: Phishing Attack on Magellan Health

Editor's Note: October marks National Cybersecurity Month, a full month dedicated to creating a more cyber-secure world for us all. Previously, we gave you 31 tips to help you #becybersmart. This year, to bring attention to this important matter, we’re introducing you to four huge cybersecurity incidents that could have possibly been prevented, had there been better defenses in place and more awareness. Join us every Thursday in October to read about one of these notorious cyber attacks and stick around for insights and learnings that may just prevent your case from being added to the file.

Cyber Victim:

The Fortune 500 insurance company, Magellan Health.

Case Details:

In April of 2020, Magellan Health discovered a breach to its systems. A sophisticated social engineering attack that impersonated a Magellan Health client enabled hackers to gain access to the health plan’s servers. They then launched a ransomware attack on the provider. Months later the tally of affected victims is now said to be around 1.7 million and hacked data includes personal information of both internal staff as well as external customers. 

Cyber History:

Unfortunately, this wasn’t the first time that Magellan received bad press for a cybersecurity incident. Just under a year beforehand, they were hit by another data breach stemming from a phishing attack. Lessons learned? Not really.  

Description of Events: 

  • April 6, 2020: Unbeknown to the company, hackers gained access to a Magellan server via a sophisticated social engineering phishing attack. The attack impersonated a Magellan Health client and opened up an access point to their servers.
  • April 6-11, 2020: The attacker exfiltrated sensitive data, such as names, contact information, employee ID numbers, social security numbers and taxpayer identification numbers. The threat actors were also able to install malware and steal further login details and passwords of some Magellan employees.
  • April 11, 2020: Magellan discovered it had become a victim of a ransomware attack. 
  • Post-April 11, 2020: Upon discovery, Magellan employed the cybersecurity forensics firm Mandiant to help investigate the incident. 
  • July 7, 2020: By July 7th, a report to the HHS was published, claiming 365,000 patients had been affected by the data breach. 
  • August 13, 2020: The number of impacted individuals continues to grow, with many individual breach reports having been filed by various Magellan units and related companies. The tally now stands at 1.7 million individuals

Magellan Health April 2020 attack timeline.png

Systems /Parties Impacted:

It seems that nobody was safe in this attack. With several rounds of revised tallies since the incident was first uncovered in April, it’s now clear that the hackers gained access to various information through potentially different avenues. The social engineering attack opened access to an internal server, exposing confidential employee information. Installed malware then opened up the networks further, by stealing additional login details and passwords. At this point nearly a dozen incident reports have been filed and an estimated 1.7 millions individuals have been impacted – both internally and externally. Yikes!

Probable Mode of Entry:

The initial entry point was a very clever, but essentially simple, targeted phishing attack. Between 70 and 90% of all data breaches are due to social engineering and phishing attacks, while the healthcare sector is the prime target for hackers. Once in a system, a hacker can infiltrate the systems from within. In the Magellan case, the attackers found their entry through social engineering, skimming employee data and using malware to gain access to several other login credentials before launching a ransomware attack. Only at this point was the attack spotted. 

Final Diagnosis:

With the healthcare industry being a number one target, the sector faces a high risk of incidents. The data at stake is lucrative, and the ransomware payouts are enticing to ambitious hackers. While several cybercrime gangs have announced a truce on the healthcare industry during our battle with Covid-19, not all hackers seem to have gotten the memo. And even if they've taken a break for the time being, there is no doubt they will come back with full force in the near future. 

In Germany a recent hack at the Universitätsklinikum Düsseldorf (University hospital Duesseldorf) led to the worst possible outcome – the loss of life. System inaccessibility forced the A&E department to close, and the patient died on the diversion to another hospital. In this case police were able to contact the attacker, which were possibly not aware of holding a hospital at ransom, and agreed to hand over the encryption key to unlock the data. But will future attacks end that swiftly? I think we can all agree that it’s not worth finding out. 

The 2017 WannaCry attack is another example of a prominent hack on the healthcare sector (and many other industries).  It froze British National Health Service data and forced doctors to cancel surgeries. WannaCry attacked older operating systems like Windows XP and Windows 7, systems which often still run in healthcare environments with legacy systems. It stresses the need for up to date operating systems, cyber defenses and employee training. 

The healthcare industry handles some of the most private and protect-worthy data. Cybersecurity defenses and cybersecurity training are therefore of utmost importance, so we’re not gambling with the lives of people at their most vulnerable. 

Magellan has used the attack as a late wake-up call: it has since bolstered security protocols for networks, email environments and personal data. For many of their employees and customers this will be too little too late. But it can serve as a reminder to the healthcare industry, to do anything within their power to protect their information. 

Do you need help training your staff on phishing awareness or want to put processes in place to help them? We have some handy guides on how to spot phishing, how to set up phishing training programs, how to digitally sign emails and general awareness of data security in the healthcare industry


Share this Post

Related Blogs