All is relatively well here at Woesnotgone
Meadow, where everyone has above average bandwidth.
The day started out like any other day. Get up,
get ready, load the vehicle, work, return home, repeat. On this day though, I
went to the mailbox, just as I have done for years. Today though, there was a
letter from the Wolverine Solutions Group. Not recognizing the name, curiously
I opened the letter. It seems as though my healthcare provider, Michigan Eye
Institute, used Wolverine Solutions Group for mailing services. Wolverine
Solutions Group happens to have had a minor, itsy issue with cybersecurity-they
were successfully attacked with ransomware, locking up their servers along with
workstations. But other than that, everything was fine.
There are three businesses involved with the
cybersecurity oversight.
a.
Michigan Eye Institute.
The medical practice focussing on the eye, located in Flint, MI.
b.
Client Financial
Services. This was a vendor for the Michigan Eye Institute.
c.
Wolverine Solutions
Group. They provide mailing services to the businesses in the health-related industry.
This includes health-insurers and providers. The business is located in
Detroit. They also provide billing services. A sample of their clients include
Blue Cross Blue Shield of Michigan, Health Alliance Plan, McLaren Health Plan,
Three Rivers Health, and North Ottawa Community Health System.
Timeline
On or about September 23, 2018, Wolverine
Solutions Group (WSG) had the opportunity to experience a ransomware attack.
The attack primarily focussed on encrypting their records. This locked up their
servers and workstations, which was clearly bad. WSG hired on October 3, 2018 a
forensic subject matter expert to review and analyze the events and attack.
They began the decryption process and restoring files and other affected areas.
The expert did not identify any evidence any data had been exfiltrated.
Due to the effort, most of the programs were
restored by October 25, 2018. The critical operations were up and operating on
November 5, 2018. WSG notified on November 28, 2018 Client Financial Services
(CFS), who is a vendor to the Michigan Eye Institute, of the cybersecurity
issue. WSG provided on February 5, 2019, Michigan Eye Institute the final list
of affected users and the categories of data affected.
Ransomware is seen so often in nearly all industries.
This is partially due to this being such a cost effect attack, with results.
The operations of this involve encrypting the data and attempting to force the
target, post-successful attack, to pay the fee. In this case, however,
allegedly weak encryption was used.
Data
Unfortunately for the patients, it appears the
data involved would be the patient’s name, address, date of birth, social
security number, insurance contract information and numbers, and medical
information. This is truly bad for the patient’s involved. This data is very
saleable and marketable multiple times, depending on how it is bundled.
Help for the Patients
The patients are being offered identity theft
protection through AllClear ID for 12 months. This also allows for an annual
credit score and credit report, and a $1M identity theft insurance policy.
Although this sounds good, the length honestly should be much longer. Any
person with the patient’s data will probably wait for one year and one month
before using this, to the patient’s detriment.
Questions/Concerns/Comments
In the review of the overall environment, there
are a few questions. The business used WSG for mailing services. This is
perfectly acceptable and a part of the natural operations. As WSG focus is
mailing, why would they have access to medical records, and why were they on
WSG’s system? The medical records are not associated with a list of people to
mail information to. Possibly they were mailing bills, however, this would be
the only circumstance for a viable reason.
It took the business over five months to notify
the users/patients of the cybersecurity issue. The patients were exposed for
over five months. During this time, they were unaware of the data being out
there sold.
The forensic team did not believe any data was
exfiltrated or “extracted” yet the patient’s information was affected. Thinking
through the events, if the attacker is focused on the system and risking
federal prison, is the attacker really going to not secure the data and walk
away once they finally compromised the perimeter defense? This is not a viable
option.
Thanks for visiting Woesnotgone Meadow, where
the encryption is strong, and the O/Ss are always using the latest version.
Resources
1051 The Bounce. (2019, March 11). Are you one
of the 600,00 michigan residents affected in data breach. Retrieved from https://1051thebounce.com/2019/03/11/are-you-one-of-600000-michigan-residents-affected-in-data-breach/
13ABC. (2019, March 11). Michigan residents
warned about health care data breach. Retrieved from https://www.13abc.com/content/news/Michigan-residents-warned-about-health-care-data-brech-506985321.html
62CBS Detroit. (2019, March 11). Health care
data breach affects 600k michigan residents. Retrieved from https://detroit.cbslocal.com/2019/03/11/health-care-data-breach-affects-600k-michigan-residents
Davis, J. (2019, March 12). More than 600,000 affected
by michigan health care data breach. Retrieved from https://securitytoday.com/articles/2019/03/12/more-than-600000-affected-by-michigan-health-care-data-breach.aspx?m=1
Goedert, J. (2019, March 15). 600,000 affected
by huge data breach in michigan. Retrieved from https://www.healthdatamanagement.com/news/600-000-affected-by-huge-data-breach-in-michigan
Scott. (2019, March 12). Data breach may have
exposed 600,000 michigan residents. Retrieved from https://smallbusinessbigthreat.com/blog/2019/03/12/data-breach-may-have-exposed-600000-michigan-residents/
Strachan, J. (2019, March 11). More than 600,000
in Michigan Affected by health care data breach. Retrieved from https://patch.com/michigan/across-mi/more-600-000-michigan-affected-health-care-data-breach
The Associated Press. (2019, March 11). Michigan
residents warned about health care data breach. Retrieved from https://www.kansas.com/news/business/article22740489.html
Wolverine Solutions Group. (2019, February 27).
Notice of breach/cybersecurity incident-updated 02.27.2019. Retrieved from https://www.wolverinemail.com/cyber-security-event/
Wolverine Solutions Group. (2019, February 28).
Letter signed by Robert Tokar.
No comments:
Post a Comment