A major US healthcare provider has suffered a ransomware attack after falling for a phishing email that appeared to be sent by a client.
Magellan Healthcare received what they believed to be a genuine email from a client on April 6. Five days later, attackers compromised the systems of the Fortune 500 company, exfiltrating records containing personal information before launching ransomware to encrypt files.
In a cyber incident notification letter dated May 12 that was sent to those whose information had been compromised, Magellan Healthcare said that the exfiltrated records "include personal information such as name, address, employee ID number, and W-2 or 1099 details such as Social Security number or Taxpayer ID number and, in limited circumstances, may also include usernames and passwords."
An information-hungry thief or thieves exfiltrated a subset of data taken from a single Magellan corporate server, but they didn't stop there. According to a Magellan spokesperson: "In limited instances, and only with respect to certain current employees, the unauthorized actor also used a piece of malware designed to steal login credentials and passwords."
Upon discovering the ransomware attack, Magellan hired cybersecurity forensics firm Mandiant to help conduct a thorough investigation of the incident. It was Mandiant that discovered that prior to the launch of the ransomware, data had been exfiltrated.
The company also reported the cyber-attack to the FBI and relevant law enforcement agencies and filed a notice with the California attorney general's office on Monday.
Commenting on the incident, Erich Kron, security awareness advocate at KnowBe4, said: “The bigger story here was not the encryption of data and subsequent downtime, but the actual exfiltration of the data, which is becoming the norm in ransomware attacks.”
Magellan said that, since the incident occurred, the company has implemented additional security protocols "designed to protect our network, email environment, systems, and personal information."
Writing to those whose data was exposed in the attack, Magellan said: “At this point, we are not aware of any fraud or misuse of any of your personal information as a result of this incident."
Identity theft protection is being provided by the company to people whose information was stolen.
"Unfortunately, these sorts of attacks are increasingly common," a Magellan spokesperson told FOX Business. "We are aggressively investigating this matter and will continue to provide updates to those impacted as the investigation continues."