Incident Of The Week: Malware Attack Exposes Patient Data

Although still under investigation, hundreds of thousands may be impacted




In late September, a malware attack at Wolverine Solutions Group may have compromised the personal and medical information of hundreds of thousands of people nationwide.

Wolverine Solutions Group, which is a contractor that provides mailing and other services for hospitals and healthcare companies, is still undergoing investigation so the scale of the breach has yet to be revealed.  

According to Detroit Free Press, here are the customers who have already received notification of the security breach: Blue Cross Blue Shield of Michigan; Health Alliance Plan; McLaren Health Care, Three Rivers Health in southwestern Michigan; North Ottawa Community Health System in Grand Haven, and at least two hospitals in northwestern Pennsylvania: Warren General Hospital and the University of Pittsburgh Medical Center Kane.

See Related: "Cyber Security Exchange for Healthcare"

The Full Impact

President Darryl English said the company did not find any evidence that vital records were taken, but officials are taking extra precaution to ensure patients are informed.

"In September, our computer system experienced a ransomware attack, which affected some of our servers. One of the servers that was affected actually contained personal client data," English said. "The process to identify individuals and correctly identify exactly what type of data we had on them to determine if notification needed to be sent out was an extensive process that actually took several months to go through."

English has not named all the companies that may have been affected, but noted that "the number of entities and sub-entities (combined) are in the mid to high hundreds." He said he's leaving it to the individual companies to identify how many of their customers may have had their data compromised, but said it's likely "in the high 6-figures."

The full impact of the problem won't be fully known until April, he said.

The Data Details

The security problem occurred on or around Sept. 25, when Wolverine Solutions Group "experienced a ransomware incident — a malicious software that attacked and locked up our servers and workstations."

The attack encrypted many of the company's records as part of an extortion scheme. Wolverine Solutions Group hired an outside team of forensic experts, who were able to determine which clients were affected and what data might have been compromised.

As of now, English reports that there is no evidence yet that the information has been retrieved or misused.

"Nevertheless, given the nature of the affected files, some of which contained individual patient information (names, addresses, dates of birth, Social Security numbers, insurance contract information and numbers, phone numbers, and medical information, including some highly sensitive medical information), out of an abundance of caution, we mailed letters to all impacted individuals recommending that they take immediate steps to protect themselves from any potential misuse of their information," Wolverine Solutions Group posted in a statement on its website.

A Pattern of Hospital Breaches

While Wolverine Solutions Group has been dealing with its own investigation, this comes on the heels of another recent breach with Rush System for Health, which reports 45,000 patients’ data exposed.

Rush has been compromised due to a data breach at one of the health system’s third-party claims processing vendors, which was first reported by Crain’s Chicago Business and was disclosed in a Rush financial filing (PDF). The breach, which Rush learned about on Jan. 22, was the result of an employee at one of its third-party vendors improperly disclosing a file containing certain patient information to an unauthorized party.

The exposed data may include names, addresses, birthdays, Social Security numbers and health insurance information, according to the filing. The data did not include medical information. Rush said that to its knowledge, none of the information had been misused.

After it discovered the breach, Rush launched an internal investigation and suspended its contract with the vendor. Rush said it also was reviewing its internal procedures and contracting processes.

In the last two weeks, Cyber Security Hub has also reported on two other incidents involving healthcare data breaches.

UW Medicine also just sent out letters to 974,000 patients about a data breach that exposed some of their information on the internet. “UW Medicine became aware of a vulnerability on a website server that made protected internal files available and visible by search on the internet on Dec. 4, 2018,” spokeswoman Susan Gregg said in a statement. “The files contained protected health information (PHI) about reporting that UW Medicine is legally required to track, such as reporting to various regulatory bodies in compliance with Washington state reporting requirements.”

The files that were reported as going public did not contain any medical records, patient financial information or Social Security numbers; however they did include protected health information and reporting that UW Medicine is legally required to track.

As of now, the files have been removed from public view and UW officials say they have taken steps to remove information that was saved to third-party sites.

Read the Full Story: “UW Medicine Patient Data Exposed Online

More recently, an incident associated with UConn Health was among the last such issues of 2018 since representatives from the organization became aware of it on December 24.

According to a statement on the health system's site, it said that an unauthorized third party got access to some employee email accounts. The information within included things like Social Security numbers, birthdays, names and details about billing specifics or medical appointments.

Fortunately, reports published in February 2019 gave more clarity about the extent of the breach. The coverage said the breach affected as many as 326,000 individuals, and that 1,500 of them may have involved Social Security numbers. Also, a representative from UConn Health mentioned that the incident was a phishing attack, but said the organization had not identified the person or group responsible.

Read the Full Story: “UConn Health Phishing Attack Exposes Patient Data