Ransomware Attack on Vendor Affects 600,000Healthcare Billing Services Vendor Notifying Individuals of Potential Data Exposure
A ransomware attack last fall on a company that provides billing and other business services to health plans and hospitals resulted in a breach affecting more than 600,000 individuals, according to Michigan state officials.
The incident highlights the difficulty some organizations have in determining whether to report ransomware attacks as breaches to comply with the HIPAA Breach Notification Rule.
More than 600,000 Michigan residents may have had their information compromised in the breach at Detroit-based Wolverine Solutions Group, according to a statement from Michigan Attorney General Dana Nessel and Anita Fox, director of the state's department of insurance and financial services.
Wolverine Solutions Group's clients affected by the breach include Blue Cross Blue Shield of Michigan, Health Alliance Plan, McLaren Health Care, Three Rivers Health, and North Ottawa Community Health System, the Michigan officials say.
"The question of when to report a ransomware event under HIPAA is very tough."
—Adam Greene, Davis Wright Tremaine
A statement about the incident posted on Three River Health's website notes that Wolverine Solutions Group is a subcontractor to a company the hospital uses for patient collection services.
"Wolverine Solutions Group is taking full responsibility for the incident and is in the process of notifying affected patients and offering free credit monitoring and protection services," the Three River, Michigan-based hospital's statement notes.
Health Alliance Plan tells Information Security Media Group that the Wolverine incident potentially exposed information on about 120,000 of the insurer's members.
Other affected Wolverine Solutions Group clients listed in the statement from state officials did not immediately respond to a request for comment.
Wolverine Solutions Group also did not immediately respond to a request for more information, including whether additional companies or individuals in other states were also impacted by the ransomware attack.
According to a Feb. 27 statement posted on Wolverine Solution Group's website, information potentially exposed in the breach includes names, addresses, phone numbers, dates of birth, Social Security numbers, insurance contract information and medical information. The company says it does not believe any of the personal information was extracted by the ransomware attackers.
"On approximately Sept. 25, 2018, WSG discovered that an unauthorized party gained access to its computer system and infected the system with malware. The malware encrypted many of WSG's records, which made them inaccessible, in an effort to extort money from us," the company says.
After the company learned of the ransomware incident, it began an internal investigation and hired outside forensic security experts to begin the decryption and restoration process.
"All impacted files needed to be carefully 'cleaned' of any virus remnants prior to their review by forensic investigators. Most critical programs requiring decryption were restored by Oct. 25, 2018, and WSG's critical operations were running by Nov. 5, 2018," the company's statement says.
As the forensic team continued its decryption efforts to determine the type of information that was impacted, the identities of those affected - including the company's healthcare clients and specific individuals - began to emerge, the company says.
"Beginning in November and continuing in December, January and early February, WSG discovered and was able to identify those healthcare clients whose information was impacted by the incident. The timing of our notices to impacted individuals has been based on these 'rolling' discovery dates," the company says.
The first notices were mailed on Dec. 28, 2018, while additional notices were mailed in February and further notices are being sent in March, the company says.
"As a result of our investigation, WSG believes that the records were simply encrypted. There is currently no indication that the information itself was extracted from WSG's servers. Nevertheless, given the nature of the affected files ... we mailed letters to all impacted individuals recommending that they take immediate steps to protect themselves from any potential misuse of their information."
"Most PHI ransomware cases need to be treated as a HIPAA breach, unless forensic examination clearly shows no data exfiltration."
—Kate Borten, The Marblehead Group
As of Wednesday, the Department of Health and Human Services' HIPAA Breach Reporting Tool website, which tracks health data breaches impacting 500 or more individuals, did not contain any breach report entries that appear to be related to the Wolverine Solution Group incident.
Reportable Breaches Under HIPAA?
Despite HHS Office for Civil Rights guidance issued in 2016 advising that most ransomware attacks result in breaches that must be reported under the HIPAA Breach Notification Rule, many covered entities and business associates hit with ransomware attacks still struggle in their breach assessments of those incidents.
"The question of when to report a ransomware event under HIPAA is very tough," says privacy attorney Adam Greene of the law firm Davis Wright Tremaine.
"The OCR ransomware guidance indicates that organizations should consider lack of availability when determining whether an incident is a reportable breach, but there is no consensus on how much weight this factor should be given. As a result, organizations come to very different conclusions regarding whether a ransomware incident, where evidence indicates no exfiltration of data, is reportable."
Kate Borten, president of privacy and security consulting firm The Marblehead Group, offers a similar perspective.
"Most PHI ransomware cases need to be treated as a HIPAA breach, unless forensic examination clearly shows no data exfiltration," she notes.
"But that analysis may take time and money. And even then, the organization may not have retained logs sufficient to make a solid case for no exfiltration. That's the challenge of proving a negative."
Keith Fricke, principal consultant at tw-Security, says several factors affect the determination of whether a ransomware attack resulted in a reportable health data breach. The difficulty in determination "depends on what level of audit logging and retention of logs exists in an organization," he notes.
"Having logged events to refer back to can help determine the likelihood of a breach due to ransomware. Reviewing firewall logs can help identify if ransomware exfiltrated data. It also matters if the organization is inspecting some of its encrypted outbound traffic," Fricke says.
"Data-exfiltrating malware often extracts sensitive information over outbound encrypted channels. Without the necessary inspection in place, an organization may not be able to tell what specific information may have been exfiltrated."
In recent years, ransomware attacks on business associates have affected a variety of healthcare clients, and, in some cases, disrupted those vendors' own operations (see: Recent Ransomware Incidents Serve Up Lessons).
What steps can covered entities take to prevent becoming victims to ransomware or other cyberattacks on their vendors?
"Reviewing firewall logs can help identify if ransomware exfiltrated data."
—Keith Fricke, tw-Security
"Covered entities should prepare for PHI stored by a BA to be unavailable, and plan on how they will operate without such PHI," Greene suggests.
"Also, covered entities can consider as part of their due diligence asking questions about data backup plans, testing of recovery plans and network segmentation to avoid corruption of backups in a ransomware event."
Vendors need to be more transparent with their customers about their security practices, Fricke says. "Many CEs still have BAs sign the required HIPAA business associate agreement but do nothing further to assess the risks of doing business with that vendor," he notes.
But many healthcare organizations have relatively little control over these vendor-related risks, Borten warns.
"Most covered entities lack the resources and will to closely manage their business associates," she notes. "While vetting new BAs is essential, once the relationship is established, it's not realistic to imagine CE oversight that would prevent ransomware attacks."