[BreachExchange] HAP customers' personal information at risk after data breach of vendor

[Destry Winant]

https://www.freep.com/story/news/local/michigan/2019/03/05/hap-data-breach/3067021002/

More than 120,000 Health Alliance Plan clients' personal and protected
medical information may have been compromised in a security breach, a
company spokeswoman told the Free Press on Tuesday.

Letters notifying customers of the breach were sent last week by
Wolverine Solutions Group, a Detroit-based company HAP hired to manage
its mailing services. The letters said the security problem occurred
on or around Sept. 23, when Wolverine Solutions Group "experienced a
ransomware incident — a malicious software that attacked and locked up
our servers and workstations."

HAP said Tuesday in a statement that the incident may have exposed
customers' names, addresses, dates of birth, member identification
numbers, health care provider names, patient identification numbers
and claim information, such as the service codes and payment amounts.
It suggested Social Security numbers and credit card information were
not exposed in the breach.

Wolverine Solutions Group notified HAP of the incident Nov. 28, but
the company was not certain until early February of the extent of the
breach and what data was most likely compromised, a HAP spokeswoman
said.

"HAP takes its responsibility to protect our members’ information very
seriously," the company said in a statement. "We sincerely apologize
this happened to our members.  Wolverine Solutions Group has issued an
apology to HAP and our impacted members."

A total of 120,344 HAP customers may have been affected, a HAP
spokeswoman said, and any HAP member with questions about the breach
may call 877-412-7152 for more information.

Wolverine Solutions Group also performs mailing services for other
clients, including health plans and hospital systems, which also were
affected in the malware attack, company President Darryl English said.

Blue Cross Blue Shield of Michigan customers were notified in
December, he said, that their information also may have been
compromised.

"About 150,000 of our members were impacted, with about 100,000 of
them residing in Michigan," a spokeswoman for Blue Cross Blue Shield
of Michigan said in an email. "The others are dispersed across many
other states. BCBSM offered our members 24 months of credit protection
through AllClear ID. We are working with Wolverine on a remediation
plan they developed in response to the incident.

"We have no indication that any member information was extracted
during the incident."

English said the investigation is ongoing, and additional companies
and clients he could not name would be alerted through March if their
data also is at risk.

Each letter mailed to those affected by the security breach has been
individualized to explain the depth of compromised data, English said.
And although Social Security numbers were not compromised among HAP
clients, other customers' Social Security numbers may have been.

"The review of the actual data was done by a forensics company, which
determined if any of those elements of data, like a Social Security
number or a medical record number, or anything like that was
included," English said. "All of those things were recorded … on an
individual level. So there could be one person who may have had a
Social Security number (compromised), but the person next to them did
not.  … They’re given that type of detail inside their letter. It is
customized to the point where it does tell the individual what type of
information was involved."

The forensic investigation of the malware attack suggests that records
were encrypted, English said, and there's no evidence yet that the
information has been retrieved or misused.

"Nevertheless, given the nature of the affected files, some of which
contained individual patient information (names, addresses, dates of
birth, social security numbers, insurance contract information and
numbers, phone numbers, and medical information, including some highly
sensitive medical information), out of an abundance of caution, we
mailed letters to all impacted individuals recommending that they take
immediate steps to protect themselves from any potential misuse of
their information," Wolverine Solutions Group posted in a statement on
its website.

Peter Pterneas, 65, of Centerline said he got a letter in the mail
Saturday from Wolverine Solutions Group.

He hasn't been insured by HAP since late 2016, and says he's concerned
about what data was taken and how it might be used.

"We keep a tight review of our credit history so we're able to catch
these things early," said Pterneas. "I got the impression from this
that it's a possibility that my information was breached. I don't
really feel assured. I feel like they're covering their bases, but
they're not really admitting my information was taken.

"They have all the disclaimer words in here, you know, like 'your data
may have been affected,' and 'we're notifying all the clients.' It is
the general catch-all language that they're throwing out there to
cover their bases so they can say that they're notifying me."

Wolverine Solutions Group is urging anyone who was potentially
affected by the breach to:

Contact Equifax, TransUnion and Experian, the three national
credit-reporting agencies as soon as possible to add a fraud alert
statement to your credit file and remove your name from mailing lists
of pre-approved offers of credit.
Get a free copy of your credit report by going to www.annualcreditreport.com.
Monitor all bills and credit-card charges to ensure they are legitimate.
Frequently review bank account statements, watching for checks,
purchases, or deductions you didn't make.
Report any suspicion of identity theft to your local police department
and the fraud department of the Federal Trade Commission.
Review your explanation of benefits statements from your health
insurance provider and look for accounts or creditor inquiries,
transactions or services that you did not initiate or do not
recognize.

The company is offering AllClear ID for identity protection for one
year for HAP employees whose information may have been compromised.

The letter mailed to affected HAP customers says Wolverine Solutions
Group is trying to ensure it doesn't happen again: "We have migrated
to a different computer system that has added protections and are
training our workforce in safeguards."

Pterneas said he'll continue to be vigilant about monitoring his
credit now that there's a chance his personal information was taken.

"I have already been a victim once of fraud," he said. "This is coming
to light again from a company that I didn't feel took care of me,
which was their job. And now that I'm gone, they're still not taking
care of me or hundreds of other people. ... And there's nothing we can
do about it."