HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

More Than 600,000 Michigan Residents Affected by Wolverine Solutions Breach, Warns AG Nessel

Michigan Attorney General Dana Nessel has issued a warning to Michigan residents about the ransomware attack on Detroit-based Wolverine Solutions Group, which she says may have affected more than 600,000 Michigan residents.

Nessel has advised all individuals who receive a breach notification letter to sign up for credit monitoring services, to monitor their accounts and EoB statements for signs of fraudulent use of their data, to place a fraud alert on their credit file and to consider freezing their credit file as a protection against fraud and identity theft.

The cyberattack on Wolverine Solutions Group occurred on or around September 23, 2018. Critical systems were mostly restored within a month, but it has taken considerably longer to determine which clients had been affected. Some clients were only notified about the extent of the attack in March.

While the types of information differ from company to company and individual to individual, the exposed information may include data elements such as names, addresses, dates of birth, social security numbers, insurance contract information and numbers, phone numbers, and medical information.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Healthcare organizations known to be affected include:

  • Blue Cross Blue Shield of Michigan
  • Mary Free Bed Rehabilitation Hospital
  • Spectrum Health Lakeland
  • Sparrow Health System
  • McLaren Health Care
  • Covenant Health Care
  • Health Alliance Plan
  • North Ottawa Community Health System
  • Three Rivers Health
  • Warren General Hospital
  • University of Pittsburgh Medical Center Kane

The attack is believed to have started with the download of the Emotet Trojan, which in turn downloaded the ransomware that encrypted files containing protected health information. The Emotet Trojan has been used in several recent attacks in combination with Ryuk ransomware. Wolverine Solutions’ president Darryl English told the Daily Swig that the ransom demand was paid.

“Data breaches can be devastating to the affected individuals,” said Nessel on Monday. “It’s important this office provide affected customers with any and all available resources to help limit the effects of this – or any – breach. And today, we’re doing just that.”

Under state laws, Wolverine was not obliged to notify the attorney general of the breach. Nessel discovered the breach from media reports and has written to Wolverine requesting further information about the incident. Most other states require notifications of data breaches to be sent to the state attorney general. This breach could well trigger an update to data breach notification laws in Michigan.

While AG Nessel has put the number of affected individuals at 600,000 or more, the final total is not yet confirmed and, according to Wolverine, could be in the high six figures.

Wolverine Solutions is issuing notifications to affected individuals and is offering them free access to credit monitoring and identity theft protection services.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.