Important information regarding client information

We are writing to notify you of a security incident involving a Geisinger Health Plan (GHP) vendor (Magellan National Imaging Associates) and your clients’ Protected Health Information (PHI). From February 2011 until September 11, 2017, Magellan National Imaging Associates (“Magellan NIA”) was GHP’s vendor to manage certain radiology benefits. Magellan NIA provides radiology benefit services to health plans across the country. While GHP no longer uses Magellan NIA for radiology benefits, GHP still contracts with Magellan for certain other services.

On July 5, 2019, the Magellan Information Security team discovered that the Microsoft Office 365 email account of a Magellan client had been sending out large volumes of spam email. An investigation revealed that several unauthorized mailbox authentications and connections originating from outside the country had been occurring on this client’s email account since May 28, 2019. It is believed that the unknown individuals were able to obtain the client’s email log-in credentials through a phishing attack or other fraudulent means. Magellan immediately began an investigation into the incident and alerted us to the issue on September 24, 2019.

Magellan believes that the intruder was attempting to access the account solely to send out spam emails and had no intentions to retrieve or view any data at all. However, despite Magellan’s best efforts, and because of technical limitations with the email protocol used by Magellan, Magellan could not definitively determine a lack of breach. While we have no evidence that any emails were accessed, viewed, or downloaded by the unauthorized intruder(s), and since Magellan is similarly unable to furnish any evidence that they did not do so, GHP is treating this incident as a breach.

Magellan has taken steps to further secure all client email accounts by disabling certain email protocols on all mailbox accounts, establishing relevant geofencing, and implementing Microsoft’s Password Hash Sync as well as other similar measures. Magellan also determined that none of its other systems experienced any unauthorized access aside from the impacted Microsoft Office 365 email accounts. 

Magellan engaged a data forensics firm to perform an exhaustive and lengthy review of the hundreds of thousands of emails and associated email attachments in the impacted Magellan clients’ email accounts in order to: identify any affected health plan members in the emails; the health plan to which they belong; and the potentially exposed PHI of those members. On September 16, 2019 the forensics firm delivered to Magellan its final analyses of the data, including the impacted members and, where noted in the data, the members’ health plans. Magellan provided the list of impacted members to us on October 3, 2019 and a review determined that [Group Name] clients were included in the data in an client’s email account. The data that may have been exposed could have included their name; patient/client ID, type of service, authorization ID, and diagnosis.

Magellan is offering a year of complementary credit monitoring to members who were included in the potential breach.

This incident was reported to our Incident Response Team who performed a risk assessment and we believe that an individual breach notification letter should be sent due to the data elements, and the fact that Magellan’s forensic report could not demonstrate the data was not downloaded or viewed. 

Note that if a member is deceased, we will change the template letter and will not offer credit monitoring. We will attempt to send the letter to the member’s next of kin if we have that address on file.

Click here to view the member notification letter.

If you have any questions, please reach out to Brian Andrew.

 

As we enter our second week of the Annual Enrollment Period, we would like to remind you that our new Geisinger Gold Classic 360 Rx product is only available in the following 18 counties: