Geisinger Health Plan hit with breach after business associate targeted
Geisinger Health Plan is notifying 5,848 members that their protected health information may be compromised after a security incident at Magellan National Imaging Associates, a vendor hired by the plan to manage radiology benefits.
Magellan discovered on July 5 that the email account of an employee had been sending out large amounts of spam email. An investigation found several unauthorized mailbox authentications and connections originating from outside the United States had been happening since May.
Geisinger Health Plan believes unknown persons obtained the employee’s email credentials through a phishing attack or other fraudulent measures. Geisinger learned of the attack on September 24.
Magellan believes the intruder attempted to access the email account solely to send out spam email with no intention of retrieving or viewing member data. Nonetheless, Geisinger Health Plan says it is treating the incident as a breach because it could not definitely determine if any emails were accessed, viewed or downloaded.
In the aftermath, Magellan took steps to further secure all employee email accounts by disabling certain email protocols on all mailbox accounts, establishing relevant geofencing and implementing Microsoft’s password hash synchronization and other measures. The synchronization measure enables signing into certain services, such as Office 365.
Breach notifications started coming out on October 18. Compromised data included names, patient/client identification numbers, types of service, authorization identifications and diagnoses.
“We worked closely with Magellan to make sure all affected members were identified and properly notified,” says John Signorino, chief privacy officer at Geisinger. "Although all evidence points to the fact that the intruders only intended to issue spam emails, in an abundance of caution we are offering all of our affected members one year of credit monitoring services through Experian and encourage them to sign up by following instructions in the letters they received.”
Geisinger no longer works with Magellan.
Ed Gaudet, CEO and founder of Censinet, which operates a cloud platform for vendor risk management, says the process of managing third-party risk in the health industry is inefficient, based on a recent study by Ponemon Institute and Censinet that found managing vendor risk costs $3.8 million per healthcare provider per year, and breaches cost $2.9 million in hidden costs.
“Provider executives and board members must begin to implement proactive, automated approaches to risk management, arming them with ability to make dynamic, informed decisions in real-time, lower costs and avoid data breaches such as this one,” Gaudet advises.