Phishing Attacks Compromise PHI of 56,000 Presbyterian Health Plan Members

A series of phishing attacks have compromised the protected health information of 56,000 members of Presbyterian Health Plan. 

The phishing attacks did not directly target NM-based Presbyterian Health Plan (PHP) but instead affected two subsidiaries of the managed care company, Magellan Health, who provide services to PHP. 

The two breaches occurred in July 2019. The first, experienced by National Imaging Associates, was discovered on July 5. An investigation was immediately launched into the breach, which determined that 589 PHP patients potentially had their data compromised. 

The second attack, which occurred at Magellan Healthcare, was much more severe. Discovered on July 12, the breach affected 55,637 PHP patients. 

Although both incidents were attributed to phishing attacks, investigators do not believe the attacks to be related and speculate the close timing to be a coincidence. 

PHP reported both incidents to the Department of Health and Human Services’ Office for Civil Rights on September 17, 2019.

Investigators determined the hacker first gained access to the email accounts on May 28 and June 6, 2019, after two different employees responded to phishing emails. 

Both of the email accounts contained information relating to members of the health plan. The investigation determined the attack aimed to compromise email accounts to use them to distribute spam email. 

PHP did not uncover any evidence to suggest the attackers accessed emails in the accounts. PHP has not received any reports that plan member’s information has been used in fraudulent activities to date. 

The investigators carefully reviewed all emails and attachments and concluded that the accounts contained sensitive information such as member’s name, date of birth, member ID number, provider name, health benefit authorization information, date(s) of service, and billing codes. 

A limited number of plan members also have their Social Security number exposed. Complimentary credit monitoring and identity theft protection services have been offered to individuals whose Social Security number was exposed.

Magellan Health’s information security team has implemented additional authentication measures to prevent another attack of this nature from occurring. They have also taken steps to improve their email security framework.

As both breaches were caused by employees responding to phasing emails, Magellan Health is reviewing its employee training policies and offering additional courses on how to spot and deal with phishing emails. 

This is the second major breach experienced by PHP in the past year. The health plan was also affected by another targeted phishing attack which affected 183,400 plan members. That incident was reported to OCR in August. The investigation of that attack suggests the attackers were trying to obtain sensitive information.