Magellan Health, the Fortune 500 insurance company, has reported a ransomware attack and a data breach.
The company, which says it “empowers 1 in 10 Americans to lead healthier, more vibrant lives” according to its website, said the incident was discovered on April 11. It also said that it became apparent during a forensic investigation that the ransomware attack was the final stage in a longer campaign.
“The unauthorized actor gained access to Magellan’s systems after sending a phishing email on April 6 that impersonated a Magellan client,” according to a letter sent to victims and filed with the State of California. “Once the incident was discovered, Magellan immediately retained a leading cybersecurity forensics firm, Mandiant, to help conduct a thorough investigation of the incident. The investigation revealed that prior to the launch of the ransomware, the unauthorized actor exfiltrated a subset of data from a single Magellan corporate server, which included some of your personal information.”
Commenting on the news, Chad Anderson, senior security researcher at DomainTools, stated:
“Spear Phishing emails are one of – if not the most – popular entry vectors for malware. Organisations should take this as a cautionary tale on the importance of cybersecurity awareness training. Security always starts with prevention.Additionally, as it is impossible to reduce the risk of a human error down to zero, organisations should always keep offsite backups, either in an S3 bucket on AWS that does versioning, or a file server in a colocation centre, or even on tapes and stored in a separate building.
Having up-to-date, secure backups will put organisations in the position of not paying the ransom and get back up and running faster and at a lower cost.Thankfully, Magellan Health has responded to the attack by immediately notifying authorities and the involved parties, which is paramount to avoid further attacks being launched on the back of the stolen information. Individuals who have been impacted should immediately change their credentials and remain alert for any suspicious email they may receive in the coming months.”