BreachExchange mailing list archives
Hacker may have private information on nearly 44, 000 TennCare members after Magellan data breach
From: Destry Winant <destry () riskbasedsecurity com>
Date: Mon, 11 Nov 2019 08:59:38 -0600
https://www.tennessean.com/story/news/health/2019/11/08/tenncare-hacked-private-info-44-000-members-magellan-health-services/2534103001/ Compromised data includes names, social security numbers and TennCare member ID. TennCare has known about the breach for two months The private information of nearly 44,000 TennCare members may have been stolen by a hacker who breached the email system of the agency’s pharmacy management vendor, officials announced on Friday. The private information that was potentially compromised includes names, social security numbers, member IDs, health plans, provider names and the names of drugs members have been prescribed. Both TennCare and Magellan Health Systems have known about the risk for two months, but did not announce the breach or tell affected people until Friday. When asked why TennCare waited to disclose the breach, TennCare spokeswoman Sarah Tanksley said the agency worked to get a “full understanding of the incident” and determine which members may have been impacted. “We have confidence in Magellan and this process,” Tanksley said in a text message. TennCare Director Gabe Roberts, right, presents the agency's budget to Gov. Bill Lee during a hearing on Wednesday, Nov. 6, 2019. (Photo: Tennessee state government video stream) Tanksley said 43,847 people may have been affected by the breach. The information was compromised because a Magellan employee fell for a phishing scheme, allowing hackers to gain access to his email account, which contained the members' information, according to a Magellan news release. Magallen said a third-party investigation “found no evidence” the hacker who accessed company emails “actually accessed, viewed or attempted to use" the members' information, but the company cannot rule out that the information still may have been accessed. As a result, the company is notifying impacted TennCare members and offering credit monitoring services, the news release states. “Magellan Health is committed to safeguarding the privacy and security of health plan member information and takes this matter very seriously,” the news release states. “The Company notified law enforcement about this incident, implemented enhanced security and authentication measures to further protect its email system, and is updating mandatory training to help employees keep their computers more secure.” TennCare data breach timeline The release states that the email breach occurred on May 28 and Magellan discovered the breach on July 5. The company says it did not determine TennCare data may have been accessed until Sept. 10, then alerted the agency the following day. Magellan spokespeople did not respond to voice messages or text messages seeking comment. According to the company news release, TennCare members who have questions about the hack can call 833-959-1351 or visit the website ide.myidcare.com/magellanhealthcare-nia-protect. Magellan has worked for TennCare since at least 2013, when they signed a three year, $35 million contract, according to a state government news release. As pharmacy benefits manager, Magellan processes all pharmacy transactions, administers TennCare’s Preferred Drug List and negotiates rebates and discounts with drug manufacturers, the release states. _______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- Hacker may have private information on nearly 44, 000 TennCare members after Magellan data breach Destry Winant (Nov 11)