Public Notification: Magellan Data Security Incident

Public Notification: Magellan Data Security Incident

 

Note:  While Arnot Health itself has not experienced a data security incident, and none of its systems were compromised, Arnot Health was a “covered entity” in a recent data breach experienced by Magellan Health.  Therefore, as a covered entity, Arnot Health is issuing this media advisory to notify media outlets serving its service area of the data security incident, as required by the Code of Federal Regulations (Title 45, Public Welfare).  The nature of Arnot Health’s covered entity relationship with Magellan Health and the actions Magellan is taking are summarized below.

Arnot Health was a “covered entity” in the data security incident experienced by Magellan Health by virtue of its group health plan’s indirect relationship with Magellan, which contracted with Arnot Health’s former health insurance plan administrator, ELMCO.  Specifically, Magellan had provided pharmacy benefit administration services to ELMCO for Arnot’s self-insured employee health plan through December 2017.  A total of approximately 1,150 Arnot Health employees’ and family member’ accounts may have been compromised in the Magellan Health data security incident. 

A synopsis of Magellan’s notification to consumers of the data security incident follows:

Magellan Health, Inc. and its subsidiaries and affiliates (“Magellan”) recently discovered a ransomware attack. They are providing notice of this incident, along with background information of the incident and steps that those affected can take.  Magellan has a number of Arnot Health employee and family members’ personal information based on the services it provided to ELMCO, the former health insurance plan administrator for Arnot Health. 

Immediately after discovering the incident, Magellan retained a leading cybersecurity forensics firm, Mandiant, to help conduct a thorough investigation of the incident. The investigation revealed that the incident may have affected some of its customer’s members’ personal information.  Magellan has no evidence that any personal data has been misused.

The personal information included names and one or more of the following: treatment information, health insurance account information, member ID, other health-related information, e-mail addresses, phone numbers, and physical addresses.  No financial information was compromised.

Magellan immediately reported the incident to, and is working closely with, law enforcement including the FBI. To help prevent a similar incident from occurring in the future, Magellan has implemented additional security protocols designed to protect our network, email environment, systems, and personal information.

Consumers interested in learning more about ways to protect themselves or determine if their health plan or employer was affected can call 888-451-6558 or visit https://www.magellanhealth.com/news/security-incident/