Close to a million Michiganders are finding that their healthcare information may not be as secure as they thought it was, according to Michigan’s Attorney General Dana Nessel. Unfortunately, the personal health and financial information of these individuals were part of a massive ransomware attack on a third-party subcontractor who prints and mails bills for healthcare organizations in the area. While the attack happened back in September 2018, the far-reaching repercussions are still being identified over six months after the breach occurred. These unlucky individuals are discovering that a vast array of information was impacted, including social security numbers, dates of birth, personal addresses, names, medical information, phone numbers and even information about their insurance contracts. It took nearly three weeks for the contractor, Wolverine Solutions Group, to regain access to their data after the ransomware attack.
Healthcare Organizations Are Often Targeted by Hackers
Due to the high volume of personal, financial and health information available, healthcare practices and associated organizations such as Wolverine Solutions Group are often the targets of cyberterrorists. The information that is stored within the vaults of these companies is extremely attractive, both for the data points and the perception that healthcare organizations will pay handsomely to regain access to their crucial healthcare data in the event of a ransomware attack. Ransomware costs American small businesses more than $75 billion per year according to Datto, a staggering sum when you consider that this downtime can result in costs upwards of $8,500 per hour. Ransomware is increasingly becoming a part of the technology landscape, as cybercriminals perceive it to be a relatively easy and untraceable payday due to the rise of anonymous digital currency such as bitcoin.
Was the Record Encryption Strong Enough?
One of the questions that cybersecurity professionals are attempting to answer is whether or not the encryption that was applied to the records was enough to protect the records from the cybercriminals. In the case of ransomware, Wolverine Solutions lost access to their data for a period of approximately three weeks. During that period, it’s still unclear whether the cybercriminals attempted to break the data encryption — and if they were ultimately successful, where that data might have been shared with others or sold on the dark web. While a security firm brought into investigate initially felt that the attack was strictly focused on gaining ransom money, that has yet to be independently corroborated.
Patient Notification and Next Steps
Patients who were potentially affected are being notified by Wolverine Solutions Group, an expensive and time-consuming process as it requires multiple contact methods and a great deal of support. The organization is also providing complimentary credit monitoring and identity protection services for the affected patients, an additional cost that must be considered a part of the loss. These services will all be provided for the period of a year, while patients worry and wait — wondering if their personal health and financial information is in the hands of cybercriminals somewhere in the world. While Wolverine Solutions Group technology leaders note that they are taking steps to ensure that this type of attack doesn’t happen again, this negative publicity has likely affected their business in ways that will continue to be seen for years to come.
While it’s nearly impossible to create a system that cannot be breached, this instance illustrates the importance of having proactive, advanced backup and data protection processes in place. Cybercrime is rampant throughout the world, and there are no businesses that are truly immune from the effects of a major attack. Wolverine Solutions Group is merely the latest in a string of healthcare organizations that suffered from this type of aggressive ransomware attack and join Hollywood Presbyterian Medical Center and other large healthcare organizations in the growing list of targets.