The personal information and medical data of more than 600,000 people in Michigan may have been compromised in a cyberattack, the state's attorney general said Monday.
Hackers may have accessed the names, addresses, Social Security numbers and medical information of customers of several Michigan health care companies, including Blue Cross Blue Shield of Michigan, Health Alliance Plan and McLaren Health Care, Dana Nessel said.
The business that hackers targeted, Wolverine Solutions Group, a health care company that partners with health plans and hospital systems, said that it has begun notifying clients whose information was compromised by the breach.
Wolverine said it discovered the breach in September, when malicious actors accessed and infected its network with malware. Rather than merely stealing customer data, Wolverine said, the hackers seized control of the company's records, encrypting them and making them inaccessible in an effort to extort the company. Hospitals and government offices are among the frequent targets of ransomware.
But technology has moved on in the intervening time, and there are now other ways to keep an eye on employees , as an article in the Washington Post describes: Devices worn on employees’ bodies are an increasingly valuable source of workforce health intelligence for employers and insurance companies.
Wolverine issued an updated public notice to customers last month, stating that affected consumers would receive identity protection services and urged customers to take additional steps to protect themselves.
The notice does not say how hackers gained access to Wolverine’s systems, how long they remained undetected, or how the company first learned of their presence. Wolverine said that it has "migrated to a different computer system that has added protections and trained our workforce in safeguards."
Wolverine did not immediately respond to a request for comment.
Wolverine said there currently is no indication the hackers extracted customer data from its servers, but that it mailed the letters "out of an abundance of caution" and because the data included sensitive medical information.
Nessel said that Michigan, unlike some states, does not require companies to notify the attorney general's office of data breaches. Her office learned of the breach from news reports, she said, and has asked Wolverine to provide it with more information.
Nessel suggested that affected individuals take steps to safeguard their information, including enrolling in the free identity protection services, placing a fraud alert on their credit file and consider freezing their credit file.
The advisory comes as lawmakers on Capitol Hill voice growing interest in advancing data-security legislation that would require companies to better protect consumers' data and more swiftly alert them in the event of a major cyberattack. At a congressional hearing last week, senators took aim at Equifax and Marriott, which recently had been targeted in separate data breaches. Lawmakers criticized the companies for what they described as lax cybersecurity practices.