Over 600,000 Michigan Residents Potentially Affected by Ransomware Attack

Michigan Attorney General Dana Nessel issued an alert regarding the potential impact of the ransomware attack on Wolverine Solutions Group in Detroit to over 600,000 residents of Michigan.

Nessel has instructed all people who get a breach notification letter to enroll for credit monitoring services, to keep track of their EoB statements and accounts to see if there is suspicious use of data, to put an alert for fraud on their credit file and to look into freezing their credit record as a safety measures against fraudulence and identity theft.

The ransomware attack on Wolverine Solutions Group happened around September 23, 2018. Critical systems were largely recovered in one month, however, it took a longer time to identify which clients were impacted. So, a number of clients only received notifications about the magnitude of the cyberattack in March.

Although the types of information vary from one company to another and from one person to another, the exposed data possibly included the following data elements: names, addresses, birth dates, social security numbers, insurance policy data and numbers, telephone numbers, and medical data.

The following healthcare organizations were affected:

  • Blue Cross Blue Shield of Michigan
  • Sparrow Health System
  • Mary Free Bed Rehabilitation Hospital
  • McLaren Health Care
  • Health Alliance Plan
  • Covenant Health Care
  • North Ottawa Community Health System
  • Warren General Hospital
  • Three Rivers Health
  • University of Pittsburgh Medical Center Kane

Wolverine Solutions believes that the ransomware attack began with the Emotet Trojan download, which prompted the download of the ransomware that encrypted the files that contain protected health information (PHI). Several recent attacks had been launched using the Emotet Trojan along with the Ryuk ransomware. Wolverine Solutions’ President Darryl English shared with the Daily Swig that the company paid a ransom demand.

Attorney General Nessel said that data breaches can have a devastating effect on people. So, it is critical for his office to give affected consumers all available resources to limit the impact of breaches.

The state laws of Michigan does not require Wolverine to inform the attorney general of a breach incident. Nessel found out about the breach from the reports of media and wrote to Wolverine asking for additional information regarding the incident. The majority of the states require the sending of data breach notifications to the state attorney general’s office. This breach may possibly prompt an update of Michigan’s data breach notification regulations.

Although AG Nessel reported that 600,000 or more people were affected, the final number is not yet verified and, as per Wolverine, it could be as high as six figures.

Wolverine Solutions is sending notification letters to affected persons and is providing them complimentary credit monitoring and identity theft protection services.