HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Blue Cross Blue Shield of Michigan Members Notified of Business Associate Ransomware Attack

A business associate of Blue Cross Blue Shield of Michigan has experienced a ransomware attack that has potentially resulted in the theft of plan members’ protected health information. This is the second data breach affecting Blue Cross Blue Shield of Michigan plan members to be reported in December. Some plan members’ PHI was stored on a laptop computer that was stolen from a different business associate.

The latest breach was experienced by Austin, TX-based Wolverine Solutions Group, a vendor that provides business services to Blue Cross Blue Shield of Michigan and several other healthcare clients.

On September 23, 2018, ransomware was installed on its network that resulted in the encryption of files on servers and workstations, including files containing protected health information.

A third-party computer forensics firm conducted an investigation into the breach but found no evidence of data exfiltration; however, data theft could not be entirely ruled out. The types of information that was potentially accessed and copied included demographic data, health plan contract numbers, and a limited about of health information. Some Social Security numbers may also have been compromised.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

According to Databreaches.net, the data breach was not confined to Blue Cross Blue Shield of Michigan. Other healthcare clients were also affected including Molina Healthcare. 895 Molina Healthcare patients have also been notified that their PHI was potentially compromised.

Wolverine Solutions has written to all affected individuals to alert them to the breach and, out of an abundance of caution, has offered 12 months of complimentary credit monitoring services to breach victims. Due to Blue Cross Blue Shield of Michigan’s policies, its members have been offered extended protection for 24 months.

Wolverine Solutions has already taken steps to improve security and has moved to a new computer system that has added protection against these types of attacks. All employees have also received further training on the new safeguards.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.