- Health Alliance Plan is notifying about 120,000 patients that their personal and medical data was potentially breached after a ransomware attack on its third-party vendor Wolverine Solutions Group in September.
According to Wolverine’s notice, the vendor fell victim to a ransomware attack on September 25. The malware encrypted many of the vendor’s records, rendering those files inaccessible. An investigation was launched, and forensics experts began the process of decrypting and restoring the files on October 3.
The compromised data included patient names, addresses, dates of birth, Social Security numbers, insurance contact details and numbers, medical data, and phone numbers. The investigation could not rule out data exfiltration.
According to HAP’s notice, the breach could have included member identification numbers, provider names, patient identification numbers, and claims data. It appears HAP members’ Social Security numbers and credit card details were not breached by Wolverine’s cyberattack.
While HAP was notified of the event on November 28, the extent of the breach was not known until early February, a spokesperson told local news outlet Detroit Free Press.
The majority of Wolverine’s critical programs were restored by October 25 and critical operations were operational by November 5. However, officials said from November through early February they were still attempting to determine the type of data infected by the malware, the impacted clients, and the specific patients involved.
“The timing of our notices to impacted individuals has been based on these ‘rolling’ discovery dates,” officials said in a statement. “The first notices were mailed on December 28, 2018. Additional notices have been mailed in February and further notices will be mailed in March.”
Wolverine handles the mailing services for HAP and other health-related business clients. The vendor already notified Blue Cross Blue Shield of Michigan on November 8 that the data of an unspecified number of their policyholders was compromised during the ransomware attack.
About 8,000 Three Rivers Health patients may also have been impacted by the ransomware attack. As Wolverine provides services for 700 companies and about 1.2 million individuals across the country, the security incident could impact an even greater number of patients.