Security breach grows: Hundreds of thousands of health care customers affected
A late September malware attack at Detroit-based Wolverine Solutions Group, a contractor that provides mailing and other services for hospitals and health care companies, may have compromised the personal and medical information of hundreds of thousands of people nationwide.
Among the companies whose customers already have gotten notification of the security breach are Blue Cross Blue Shield of Michigan; Health Alliance Plan; McLaren Health Care, Three Rivers Health in southwestern Michigan; North Ottawa Community Health System in Grand Haven, and at least two hospitals in northwestern Pennsylvania: Warren General Hospital and the University of Pittsburgh Medical Center Kane.
But the true depth and scale of the security breach has yet to be fully revealed, company President Darryl English said Wednesday, noting that an investigation continues. Some people whose data may have been compromised still have not been notified.
English refused to name all the companies that may have been affected, but noted that "the number of entities and sub-entities (combined) are in the mid to high hundreds." He said he's leaving it to the individual companies to identify how many of their customers may have had their data compromised, but said it's likely "in the high 6-figures."
The full impact of the problem won't be fully known until April, he said.
The breach happened in the fall
The security problem occurred on or around Sept. 25, when Wolverine Solutions Group "experienced a ransomware incident — a malicious software that attacked and locked up our servers and workstations."
The attack encrypted many of the company's records as part of an extortion scheme. Wolverine Solutions Group hired an outside team of forensic experts, who were able to determine which clients were affected and what data might have been compromised.
There's no evidence yet that the information has been retrieved or misused, English said.
"Nevertheless, given the nature of the affected files, some of which contained individual patient information (names, addresses, dates of birth, Social Security numbers, insurance contract information and numbers, phone numbers, and medical information, including some highly sensitive medical information), out of an abundance of caution, we mailed letters to all impacted individuals recommending that they take immediate steps to protect themselves from any potential misuse of their information," Wolverine Solutions Group posted in a statement on its website.
A spokeswoman for McLaren Health Care told the Free Press on Wednesday that up to 300,000 of its patients statewide may have been affected by the breach. Letters were mailed Feb. 28 to alert those who were potentially affected.
Letters went out in late December to Blue Cross Blue Shield of Michigan customers, English said.
"About 150,000 of our members were impacted, with about 100,000 of them residing in Michigan," a spokeswoman for Blue Cross Blue Shield of Michigan told the Free Press. "The others are dispersed across many other states. BCBSM offered our members 24 months of credit protection through AllClear ID. We are working with Wolverine on a remediation plan they developed in response to the incident.
"We have no indication that any member information was extracted during the incident."
A total of 120,344 Health Alliance Plan clients' personal and protected medical information also may have been compromised, a company spokeswoman said. Letters notifying HAP customers of the breach were sent last week.
HAP said in a statement that the incident may have exposed customers' names, addresses, dates of birth, member identification numbers, health care provider names, patient identification numbers and claim information, such as the service codes and payment amounts. It suggested Social Security numbers and credit card information were not exposed in the breach.
Wolverine Solutions Group notified HAP of the incident Nov. 28, but the company was not certain until early February of the extent of the breach and what data was most likely compromised, a HAP spokeswoman said.
As many as 15,000 North Ottawa Community Health System patients were affected, a spokeswoman said. For some, Social Security numbers and demographic information might have been compromised, but no medical information was put at risk, she said.
An additional 8,200 patients may have had their data compromised at Three Rivers Health in St. Joseph County as part of the breach, a spokesman for the hospital told the Free Press.
Each letter mailed to those whose data was compromised has been individualized to explain the depth of breach, English said. And although Social Security numbers were not compromised among HAP clients, the Social Security numbers of other health care systems and plans may have been, he said.
"The review of the actual data was done by a forensics company, which determined if any of those elements of data, like a Social Security number or a medical record number, or anything like that was included," English said. "All of those things were recorded … on an individual level. So there could be one person who may have had a Social Security number (compromised), but the person next to them did not. … They’re given that type of detail inside their letter. It is customized to the point where it does tell the individual what type of information was involved."
Wolverine Solutions Group is urging anyone who was potentially affected by the breach to:
Contact Equifax, TransUnion and Experian, the three national credit-reporting agencies as soon as possible to add a fraud alert statement to your credit file and remove your name from mailing lists of pre-approved offers of credit.
Get a free copy of your credit report by going to www.annualcreditreport.com.
Monitor all bills and credit-card charges to ensure they are legitimate.
Frequently review bank account statements, watching for checks, purchases, or deductions you didn't make.
Report any suspicion of identity theft to your local police department and the fraud department of the Federal Trade Commission.
Review your explanation of benefits statements from your health insurance provider and look for accounts or creditor inquiries, transactions or services that you did not initiate or do not recognize.
The company is offering AllClear ID for identity protection for those whose information may have been compromised.
Customers start to feel the effects
The letter mailed to affected HAP customers says Wolverine Solutions Group is trying to ensure it doesn't happen again: "We have migrated to a different computer system that has added protections and are training our workforce in safeguards."
Twenty-five-year-old Tyler Mayes of Oxford said he's trying to build his credit, and alarm bells went off in his mind when a letter arrived Wednesday from Wolverine Solutions Group that suggested his data might have been compromised in the McLaren Health breach.
Mayes said he pulled his credit report in October and saw that he had been dinged for an unpaid bill for $210 for a health care company he'd never visited and didn't recognize.
"Initially, I thought it was for a bill I didn't receive," he said. "I didn't dispute it until last month, when I realized this isn't something I missed."
He said he'd gone to a McLaren Health-affiliated urgent care center last year, and now he wonders whether the data breach is how he got billed for a fraudulent charge from another company.
"It has me worried now. ... Is this company going to take any kind of responsibility for it because I trusted them with my medical information. I don't know what to do now."
He said he also saw on his credit report an unpaid $88 fee from an anesthesiologist he never visited.
"I haven't been put under the knife in four years," he said. "So I had a phantom surgery that not even I knew about? I have received no bills in the mail, and have received no phone calls. I have no emails. They just randomly appeared on my credit report.
"I think they're not letting out as much out of the bag as they've got in there," Mayes said of the Wolverine Solutions Group breach. "People need to understand, it's not just McLaren that's going to pop up on your credit report ... there are so many different ways it could show up on your credit report. People have to watch."
Peter Pterneas, 65, of Center Line said he got a letter in the mail Saturday from Wolverine Solutions Group alerting him that his information was at risk, too.
He hasn't been insured by HAP since late 2016, and says he's concerned about what data was taken and how it might be used.
"We keep a tight review of our credit history so we're able to catch these things early," said Pterneas. "I got the impression from this that it's a possibility that my information was breached. I don't really feel assured. I feel like they're covering their bases, but they're not really admitting my information was taken.
"They have all the disclaimer words in here, you know, like 'your data may have been affected,' and 'we're notifying all the clients.' It is the general catch-all language that they're throwing out there to cover their bases so they can say that they're notifying me."
Pterneas said he'll continue to be vigilant about monitoring his credit now that there's a chance his personal information was taken.
"I have already been a victim once of fraud," he said. "This is coming to light again from a company that I didn't feel took care of me, which was their job. And now that I'm gone, they're still not taking care of me or hundreds of other people. ... And there's nothing we can do about it."