Somewhere between 600,000 and 1.2 million patients could ultimately be affected by a massive healthcare breach that's continuing to make headlines in Michigan.

Wolverine Solutions Group, a Detroit-based subcontractor that performs services for healthcare clients - like printing and mailing bills for patients - was hit by ransomware last September but the true scope of the incident is still being realized.

Michigan's Attorney General Dana Nessel and the state's Department of Insurance and Financial Service Director Anna Fox warned last week that data belonging to more than 600,000 patients may have been affected by the incident. Information that could have been compromised includes Michiganders' names, addresses, dates of birth, social security numbers, insurance contract information and numbers, phone numbers, and medical information.

The attack occurred around September 23 last year when Wolverine Solutions learned that its records had been encrypted. It wasn't resolved until more than a month after the fact; the organization contracted a team to investigate on October 3 and was able to restore critical programs three weeks later, on October 25. The team was able to restore critical operations 11 days later, on November 5. Wolverine, for what it's worth,

While Wolverine was able to decrypt and restore the files and believes the attack was carried out solely to obtain a ransom, it told healthcare organizations it couldn’t rule out the possibility the data, which it believes was encrypted, had been exfiltrated.

Facilities like Health Alliance Plan of MIchigan, Three Rivers Health, North Ottawa Community Health System, Mary Free Bed Rehabilitation Hospital, Covenant Hospital, Sparrow Hospital, Molina Healthcare, and McLaren Health Care, all appear to be impacted by the breach.

Customers of Health Alliance Plan, a nonprofit that’s a subsidiary of the Henry Ford Health System, account for 20 percent of the breach’s victims. HAP said last week in a statement that all 120,344 of its patients may have been affected but couldn't commit to whether credit card and social security numbers were exposed.

According to HAP, Wolverine contacted the company about the breach on November 28 but has been conflicted for months, until early February, around how much data was compromised.

Three Rivers Health, a non-profit community hospital that had 8,000 patients affected, told a local paper it didn't learn about the breach until last month and that the breach could be bigger than is being reported. In total, 700 companies and 1.2 million individuals nationwide – double the figure currently making the rounds – could wind up affected by the incident.

“Several months ago Wolverine (Solutions Group) noticed they had someone who infiltrated their system for about five to eight minutes on two different occasions,” Three Rivers’ CEO, Dave Shannon told the paper. “They had a forensic audit done that took a long time, and we really just found out about it about two weeks ago. (Wolverine Solutions Group) believes the potential for people being affected is very small.”

That it took so long for some organizations to learn they were breached isn’t a huge surprise. In its breach notification notice, Wolverine says it took the better part of November, all of December, January, and some of February to determine which clients had data impacted in the incident. The notice says that while some breach notifications went out to affected individuals beginning in December, more notices are expected to be sent this month.

The number of victims affected, from organization to organization, run the gamut. While Health Alliance Plan had over 120,000 victims, Mary Free Bed Rehabilitation Hospital, a facility based in Grand Rapids, said 4,700 of its patients were affected. The University of Michigan was one of the first, in December, to disclose that a fraction of that number, only 70 employees, were impacted by the breach.

Michigan has taken steps to bring it up to date on cybersecurity. Lawmakers there made it illegal to possess ransomware last year. Still, the fact that Michigan's law doesn't require the attorney general be notified in the event of a data breach has no doubt muddied the waters around the story. Nessel said her office didn't become aware of the breach until it learned about it in the media and that the office is in the process of seeking more information on the breach from Wolverine.

The breach again underscores the importance of security around organizations who rely on third parties to handle sensitive data.
 
A similar story involving a healthcare facility and a third-party financial services vendor that handled billing for it surfaced earlier this month. That incident may have wound up exposing data belonging to 45,000 patients after an employee accessed a file containing patient protected health information (PHI).