Magellan Health Inc. and Magellan Rx Management, LLC are on the receiving end of a proposed class action filed over a data breach that reportedly affected “tens of thousands” of participants in healthcare programs managed by the companies.
The lawsuit explains that Magellan provides pharmaceutical benefits management services to a number of healthcare providers, including Tennesee’s TennCare, Florida Blue, Independent Health, Emblem, Alliant Health Plans, ConnectiCare Inc., and Horizon BCBS NJ. According to the lawsuit, at least two Magellan employees’ email accounts were accessed in a phishing scam in May 2019 that exposed the personal and medical data of potentially thousands of healthcare plan participants, including 44,000 individuals who participate in TennCare, Tennessee’s state-sponsored Medicaid program.
Among the allegedly exposed information were patients’ names, Social Security numbers, member IDs, health plans, provider names, and the names of medications they’ve been prescribed.
The lawsuit claims the breach was a “direct result” of the defendants’ inadequate cybersecurity procedures and protocols. According to the case, the defendants “chose to ignore” an abundance of cybersecurity safeguards available within the healthcare industry.
“These best practices were known, or should have been known by Magellan, whose failure to heed and properly implement them directly led to the Data Breach and the unlawful exposure of [protected health and personally identifiable information],” the complaint claims.
Further, the suit relays that Magellan “inexplicably” waited more than four months to notify affected patients after discovering the breach in July 2019. The plaintiff claims she and other TennCare participants were first made privy to the incident on November 8, 2019, when Magellan stated in a notice that their personally identifiable information and other protected health information may have been compromised. According to the case, Magellan later revealed that other healthcare plan providers were also affected by the breach, though the companies have reportedly refused to disclose the total number of victims.
The case claims the damages caused by the defendants’ failure to protect patients’ sensitive information are “long lasting and severe,” and that the companies’ offer of one year of free identity monitoring services to a “subset of affected patients” is “wholly inadequate” given affected individuals will be exposed to a heightened risk of identity theft and fraud for “multiple years.”
The plaintiff looks to represent anyone whose personally identifiable information was compromised as a result of the data breach announced by Magellan in November 2019.