HAP customers’ personal information may have been affected by data breach
Detroit Free Press (MI)
March 06-- Mar. 6--More than 120,000 Health Alliance Plan clients' personal and protected medical information may have been compromised in a security breach, a company spokeswoman told the Free Press on Tuesday.
Letters notifying customers of the breach were sent last week by Wolverine Solutions Group, a Detroit-based company HAP hired to manage its mailing services. The letters said the security problem occurred on or around Sept. 23, when Wolverine Solutions Group "experienced a ransomware incident -- a malicious software that attacked and locked up our servers and workstations."
HAP said Tuesday in a statement that the incident may have exposed customers' names, addresses, dates of birth, member identification numbers, health care provider names, patient identification numbers and claim information, such as the service codes and payment amounts. It suggested Social Security numbers and credit card information were not exposed in the breach.
Wolverine Solutions Group notified HAP of the incident Nov. 28, but the company was not certain until early February of the extent of the breach and what data was most likely compromised, a HAP spokeswoman said.
"HAP takes its responsibility to protect our members' information very seriously," the company said in a statement. "We sincerely apologize this happened to our members. Wolverine Solutions Group has issued an apology to HAP and our impacted members."
A total of 120,344 HAP customers may have been affected, a HAP spokeswoman said, and any HAP member with questions about the breach may call 877-412-7152 for more information.
Wolverine Solutions Group also performs mailing services for other clients, including health plans and hospital systems, which also were affected in the malware attack, company President Darryl English said.
Blue Cross Blue Shield of Michigan customers were notified in December, he said, that their information also may have been compromised.
"About 150,000 of our members were impacted, with about 100,000 of them residing in Michigan," a spokeswoman for Blue Cross Blue Shield of Michigan said in an email. "The others are dispersed across many other states. BCBSM offered our members 24 months of credit protection through AllClear ID. We are working with Wolverine on a remediation plan they developed in response to the incident.
"We have no indication that any member information was extracted during the incident."
English said the investigation is ongoing, and additional companies and clients he could not name would be alerted through March if their data also is at risk.
Each letter mailed to those affected by the security breach has been individualized to explain the depth of compromised data, English said. And although Social Security numbers were not compromised among HAP clients, other customers' Social Security numbers may have been.
"The review of the actual data was done by a forensics company, which determined if any of those elements of data, like a Social Security number or a medical record number, or anything like that was included," English said. "All of those things were recorded ... on an individual level. So there could be one person who may have had a Social Security number (compromised), but the person next to them did not. ... They're given that type of detail inside their letter. It is customized to the point where it does tell the individual what type of information was involved."
The forensic investigation of the malware attack suggests that records were encrypted, English said, and there's no evidence yet that the information has been retrieved or misused.
"Nevertheless, given the nature of the affected files, some of which contained individual patient information (names, addresses, dates of birth, social security numbers, insurance contract information and numbers, phone numbers, and medical information, including some highly sensitive medical information), out of an abundance of caution, we mailed letters to all impacted individuals recommending that they take immediate steps to protect themselves from any potential misuse of their information," Wolverine Solutions Group posted in a statement on its website.
Peter Pterneas, 65, of Centerline said he got a letter in the mail Saturday from Wolverine Solutions Group.
He hasn't been insured by HAP since late 2016, and says he's concerned about what data was taken and how it might be used.
"We keep a tight review of our credit history so we're able to catch these things early," said Pterneas. "I got the impression from this that it's a possibility that my information was breached. I don't really feel assured. I feel like they're covering their bases, but they're not really admitting my information was taken.
"They have all the disclaimer words in here, you know, like 'your data may have been affected,' and 'we're notifying all the clients.' It is the general catch-all language that they're throwing out there to cover their bases so they can say that they're notifying me."
Wolverine Solutions Group is urging anyone who was potentially affected by the breach to:
-- Contact Equifax, TransUnion and Experian, the three national credit-reporting agencies as soon as possible to add a fraud alert statement to your credit file and remove your name from mailing lists of pre-approved offers of credit.
-- Monitor all bills and credit-card charges to ensure they are legitimate.
-- Frequently review bank account statements, watching for checks, purchases, or deductions you didn't make.
-- Report any suspicion of identity theft to your local police department and the fraud department of the Federal Trade Commission.
-- Review your explanation of benefits statements from your health insurance provider and look for accounts or creditor inquiries, transactions or services that you did not initiate or do not recognize.
The company is offering AllClear ID for identity protection for one year for HAP employees whose information may have been compromised.
The letter mailed to affected HAP customers says Wolverine Solutions Group is trying to ensure it doesn't happen again: "We have migrated to a different computer system that has added protections and are training our workforce in safeguards."
Pterneas said he'll continue to be vigilant about monitoring his credit now that there's a chance his personal information was taken.
"I have already been a victim once of fraud," he said. "This is coming to light again from a company that I didn't feel took care of me, which was their job. And now that I'm gone, they're still not taking care of me or hundreds of other people. ... And there's nothing we can do about it."
Contact Kristen Jordan Shamus: 313-222-5997 or [email protected]. Follow her on Twitter @kristenshamus.
Editor's note: This story has been updated to include more details about how the security breach affected customers of Blue Cross Blue Shield of Michigan and to clarify the depth of the breach among HAP customers.