More than 5 months after ransomware incident, Wolverine Solutions Group still notifying more than 700 companies and 1.2 million patients

More than 5 months after a ransomware incident, Wolverine Solutions Group is still in the process of notifying more than 700 companies and 1.2 million patients.  Should they even have to, or has the government imposed too burdensome a responsibility on entities that experience attacks to individually notify patients when there is no evidence of data theft or disclosure of private information?

Back in January,  DataBreaches.net noted that a ransomware incident at Wolverine Solutions discovered on September 25, 2018  had resulted in notifications to patients or members of  at least two of its clients or clients’ clients: Blue Cross Blue Shield of Michigan  (undisclosed number)  and  Equian, who sent notifications to 895 Molina Healthcare members.

Today, I saw a small article on ThreeRiverNews that provides additional information:

Wolverine Solutions Group, a subcontractor to a vendor Three Rivers Health uses for patient billing services, recently reported a data security incident that will affect over 8,000 Three Rivers Health patients, as well as 700 companies and 1.2 million individuals nationwide. The data breach did not involve Three Rivers Health’s electronic medical records or other information systems, according to Three Rivers Health CEO Dave Shannon.

“Several months ago Wolverine (Solutions Group) noticed they had someone who infiltrated their system for about five to eight minutes on two different occasions,” Shannon said at press conference Friday.

“They had a forensic audit done that took a long time, and we really just found out about it about two weeks ago. (Wolverine Solutions Group) believes the potential for people being affected is very small.”

So if  Wolverine notified BCBS of Michigan on November 8, 2018,  and they only first notified Three Rivers back in mid-February,  will HHS/OCR find that an acceptable gap to notification?  Obviously if the entity had 700 companies to notify and they had to determine what patients or members of those clients would need notification,  that is a massive task.  But how much delay is acceptable to government regulators?

On February 27,  Wolverine updated their breach disclosure to explain more of what happened after they discovered the ransomware on September 25, 2018,  writing,  in relevant part:

Shortly after WSG learned of the incident, we began an internal investigation and hired outside forensic security experts to help us. A team of forensic experts arrived on October 3, 2018 to begin the decryption and restoration process. All impacted files needed to be carefully “cleaned” of any virus remnants prior to their review by forensic investigators. Most critical programs requiring decryption were restored by October 25, 2018, and WSG’s critical operations were running by November 5, 2018. However, the forensic team continued its decryption efforts on the impacted files to determine the type of information that was affected, the identities of our Healthcare Clients, and the specific individuals involved. Beginning in November and continuing in December, January, and early February, WSG discovered and was able to identify those Healthcare Clients whose information was impacted by the incident. The timing of our notices to impacted individuals has been based on these “rolling” discovery dates.  The first notices were mailed on December 28, 2018. Additional notices have been mailed in February and further notices will be mailed in March.

As a result of our investigation, WSG believes that the records were simply encrypted. There is currently no indication that the information itself was extracted from WSG’s servers. Nevertheless, given the nature of the affected files, some of which contained individual patient information (names, addresses, dates of birth, social security numbers, insurance contract information and numbers, phone numbers, and medical information, including some highly sensitive medical information), out of an abundance of caution, we mailed letters to all impacted individuals recommending that they take immediate steps to protect themselves from any potential misuse of their information.

So they have “rolling” discovery dates?  I do not see how that justifies delayed notification to clients and clients’ patients or members. I can see arguing,  “Hey,  we have no evidence of any exfiltration and the data were just locked up, so there’s no urgency about notification as people’s care and information is not at risk,” but to suggest that entities can be considered compliant when there is a “rolling discovery”  process that results in months’ delay in notification does not seem appropriate to me —  or consistent with the intent of the regulations to provide timely notification of breaches.

But maybe it is time to revisit HHS’s interpretation of the regulations and reconsider whether entities really do need to individually notify patients  or companies if forensic investigation finds no evidence at all of exfiltration and that the only impact was files were locked up.  Seriously: if files are locked up by ransomware but the entity can restore from backup so file corruption isn’t even a concern,  explain to me why the entity should  have to start individually notifying patients.  Of what benefit is that  to the patients at that point?  If an entity had inadequate security — i.e.,  if they were out of compliance with HIPAA’s Security Rule, then fine them.  But why require them to spend months and months on investigation and notifications that do not protect the patients but that divert funds and resources that could be otherwise used?

I have no idea how much this incident has cost Wolverine already or what the total cost will be eventually,  but is the HIPAA “cure” worse than the disease  at this point? Feel free to sound off in the Comments section.

About the author: Dissent