Blue Cross Blue Shield of Michigan Members Notified of Business Associate Ransomware Attack

Share this article on:

A business associate of Blue Cross Blue Shield of Michigan has experienced a ransomware attack that has potentially resulted in the theft of plan members’ protected health information. This is the second data breach affecting Blue Cross Blue Shield of Michigan plan members to be reported in December. Some plan members’ PHI was stored on a laptop computer that was stolen from a different business associate.

The latest breach was experienced by Austin, TX-based Wolverine Solutions Group, a vendor that provides business services to Blue Cross Blue Shield of Michigan and several other healthcare clients.

On September 23, 2018, ransomware was installed on its network that resulted in the encryption of files on servers and workstations, including files containing protected health information.

A third-party computer forensics firm conducted an investigation into the breach but found no evidence of data exfiltration; however, data theft could not be entirely ruled out. The types of information that was potentially accessed and copied included demographic data, health plan contract numbers, and a limited about of health information. Some Social Security numbers may also have been compromised.

According to Databreaches.net, the data breach was not confined to Blue Cross Blue Shield of Michigan. Other healthcare clients were also affected including Molina Healthcare. 895 Molina Healthcare patients have also been notified that their PHI was potentially compromised.

Wolverine Solutions has written to all affected individuals to alert them to the breach and, out of an abundance of caution, has offered 12 months of complimentary credit monitoring services to breach victims. Due to Blue Cross Blue Shield of Michigan’s policies, its members have been offered extended protection for 24 months.

Wolverine Solutions has already taken steps to improve security and has moved to a new computer system that has added protection against these types of attacks. All employees have also received further training on the new safeguards.

Author: HIPAA Journal

Share This Post On