Share this article on:
Michigan Attorney General Dana Nessel has issued a warning to Michigan residents about the ransomware attack on Detroit-based Wolverine Solutions Group, which she says may have affected more than 600,000 Michigan residents.
Nessel has advised all individuals who receive a breach notification letter to sign up for credit monitoring services, to monitor their accounts and EoB statements for signs of fraudulent use of their data, to place a fraud alert on their credit file and to consider freezing their credit file as a protection against fraud and identity theft.
The cyberattack on Wolverine Solutions Group occurred on or around September 23, 2018. Critical systems were mostly restored within a month, but it has taken considerably longer to determine which clients had been affected. Some clients were only notified about the extent of the attack in March.
While the types of information differ from company to company and individual to individual, the exposed information may include data elements such as names, addresses, dates of birth, social security numbers, insurance contract information and numbers, phone numbers, and medical information.
Healthcare organizations known to be affected include:
- Blue Cross Blue Shield of Michigan
- Mary Free Bed Rehabilitation Hospital
- Spectrum Health Lakeland
- Sparrow Health System
- McLaren Health Care
- Covenant Health Care
- Health Alliance Plan
- North Ottawa Community Health System
- Three Rivers Health
- Warren General Hospital
- University of Pittsburgh Medical Center Kane
The attack is believed to have started with the download of the Emotet Trojan, which in turn downloaded the ransomware that encrypted files containing protected health information. The Emotet Trojan has been used in several recent attacks in combination with Ryuk ransomware. Wolverine Solutions’ president Darryl English told the Daily Swig that the ransom demand was paid.
“Data breaches can be devastating to the affected individuals,” said Nessel on Monday. “It’s important this office provide affected customers with any and all available resources to help limit the effects of this – or any – breach. And today, we’re doing just that.”
Under state laws, Wolverine was not obliged to notify the attorney general of the breach. Nessel discovered the breach from media reports and has written to Wolverine requesting further information about the incident. Most other states require notifications of data breaches to be sent to the state attorney general. This breach could well trigger an update to data breach notification laws in Michigan.
While AG Nessel has put the number of affected individuals at 600,000 or more, the final total is not yet confirmed and, according to Wolverine, could be in the high six figures.
Wolverine Solutions is issuing notifications to affected individuals and is offering them free access to credit monitoring and identity theft protection services.