Ransomware healthcare data breaches continue to make headlines. Michigan officials have now stated that Wolverine Solutions Group, a Detroit-based billing service, experienced a ransomware healthcare data breach in Fall of 2018 that impacted more than 600,000 individuals.

This incident emphasizes the heightened risk that healthcare organizations face when it comes to ransomware. Organizations are also facing an increasingly difficult time determining how to respond and report ransomware attacks in compliance with the HIPAA Breach Notification Rule.

Dana Nessel, Michigan Attorney General, and Anita Fox, director of the Michigan Department of Insurance and Financial Services, stated that more than 600,000 residents’ sensitive health information may have been compromised in the Wolverine Solutions Group ransomware healthcare data breach.

Threat of Ransomware Growing…

More than anything, this ransomware incident proves just how much of a risk that non-secure vendors can pose to healthcare providers. Ransomware is a type of malicious software that infects an organization’s computer system. The ransomware works by encrypting sensitive data. The hackers responsible will then extort the affected parties by asking for money in exchange for returning access to the ransomed data–or else risk it being sold on the darkweb. Even if a provider is not responsible for a security incident, they still may be held liable in the event of a large scale data breach or ransomware incident without proper protections in place.

Wolverine contracted with healthcare organizations to provide billing services. This qualifies the billing service as a HIPAA business associate. Many of the organizations that contracted with the group for billing services were affected by the breach. According to Michigan officials, patients affected by the breach include members of Blue Cross Blue Shield of Michigan, Health Alliance Plan, McLaren Health Care, Three Rivers Health, and North Ottawa Community Health System.

Three River Health made a statement on their website regarding the incident. Wolverine is a subcontractor that they contract with for patient collection services. Regarding the ransomware breach, they stated that: “Wolverine Solutions Group is taking full responsibility for the incident and is in the process of notifying affected patients and offering free credit monitoring and protection services.”

Health Alliance Plan also commented that the Wolverine Solutions Group ransomware breach potentially exposed 120,000 of their insurer’s members’ information.

Other than the five clients listed above, Wolverine Solutions Group did not disclose which additional companies or individuals in other states were also impacted by the ransomware attack.

Ransomware Attack

Wolverine Solutions Group posted a statement on February 27, 2019 announcing the potential breach of protected health information (PHI). The breached information included patient names, addresses, phone numbers, dates of birth, Social Security numbers, insurance contract information, and medical information. Wolverine does not believe that any of the personal information was taken or used by the ransomware attackers. However, because the information was not properly encrypted, the risk is still present and cannot be eliminated entirely. Any breach of unsecured PHI poses a serious threat to patients’ privacy, especially in the event of large scale ransomware breaches such as this one.

Ransomware health data breaches are unfortunately becoming a regular occurrence throughout the healthcare industry, and Wolverine Solutions Group is just another organization following the same pattern.

A ransomware attack can impact an organization’s daily operations by shutting down their business or practice for days until service or access is restored. In addition, if any PHI was involved in a breach, organizations will also need to address the incident as outlined in federal HIPAA regulation.

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released guidance on HIPAA ransomware after a string of high-profile incidents in 2016. The guidance indicated that if a ransomware attack targets unencrypted or unsecured data, the breach will most likely be seen as a HIPAA violation and must be reported. In some cases, the HIPAA ransomware guidance even suggests contacting the FBI.

If a breach affects more than 500 individuals, organizations are required to report the incident to HHS OCR and notify those individuals within 30 days of discovering the breach, as per the HIPAA Breach Notification Rule. If OCR identifies that the organization has not made a good faith effort toward HIPAA compliance, the organization can be investigated and fined.

According to a statement released by Wolverine Solution Group, “On approximately September 25, 2018, the company discovered that an unauthorized party gained access to its computer system and infected the system with malware. The malware encrypted many of WSG’s records which made them inaccessible, in an effort to extort money from us.”

After the company discovered the ransomware attack, it began an internal investigation and hired outside forensic security experts to begin the decryption and restoration process. As the forensic team decrypted the information, they began to identify the individuals who were affected–including the company’s healthcare clients and specific individuals.

Wolverine Solution Group mailed out the first notices on December 28, 2018 and additional notices were mailed in February 2019 and March 2019.

“As a result of our investigation, WSG believes that the records were simply encrypted. There is currently no indication that the information itself was extracted from WSG’s servers,” the company says.

Preventing Ransomware Attacks

If an effective compliance program is implemented, security and privacy measures will be in place to protect PHI from any ransomware attacks or data breaches that may occur.

Compliancy Group provides health care professionals with the tools they need to effectively address their HIPAA compliance with our web-based app, The Guard. The Guard allows users to address every element of HIPAA compliance.

Our unique “Achieve, Illustrate, and Maintain” methodology has made us the industry leader in simplified compliance. Users are paired with a Compliance Coach who will guide them through every step of their compliance program.

And in the event of a data breach or HIPAA audit, our Audit Response Team works with users through the entire documentation and reporting process.

Compliancy Group simplifies HIPAA compliance so you can confidently focus on your business. Learn more about how we can help your organization today!