Cybersecurity and Ransomware Attacks
All is relatively well here at Woesnotgone Meadow, where everyone has above average bandwidth.
The day started out like any other day. Get up, get ready, load the vehicle, work, return home, repeat. On this day though, I went to the mailbox, just as I have done for years. Today though, there was a letter from the Wolverine Solutions Group. Not recognizing the name, curiously I opened the letter. It seems as though my healthcare provider, Michigan Eye Institute, used Wolverine Solutions Group for mailing services. Wolverine Solutions Group happens to have had a minor, itsy issue with cybersecurity-they were successfully attacked with ransomware, locking up their servers along with workstations. But other than that, everything was fine.
There are three businesses involved with the cybersecurity oversight.
Michigan Eye Institute. The medical practice focusing on the eye, located in Flint, MI.
Client Financial Services. This was a vendor for the Michigan Eye Institute.
Wolverine Solutions Group. They provide mailing services to the businesses in the health-related industry. This includes health-insurers and providers. The business is located in Detroit. They also provide billing services. A sample of their clients include Blue Cross Blue Shield of Michigan, Health Alliance Plan, McLaren Health Plan, Three Rivers Health, and North Ottawa Community Health System.
Timeline
On or about September 23, 2018, Wolverine Solutions Group (WSG) had the opportunity to experience a ransomware attack. The attack primarily focused on encrypting their records. This locked up their servers and workstations, which was clearly bad. WSG hired on October 3, 2018 a forensic subject matter expert to review and analyze the events and attack. They began the decryption process and restoring files and other affected areas. The expert did not identify any evidence any data had been exfiltrated.
Due to the effort, most of the programs were restored by October 25, 2018. The critical operations were up and operating on November 5, 2018. WSG notified on November 28, 2018 Client Financial Services (CFS), who is a vendor to the Michigan Eye Institute, of the cybersecurity issue. WSG provided on February 5, 2019, Michigan Eye Institute the final list of affected users and the categories of data affected.
Ransomware is seen so often in nearly all industries. This is partially due to this being such a cost effect attack, with results. The operations of this involve encrypting the data and attempting to force the target, post-successful attack, to pay the fee. In this case, however, allegedly weak encryption was used.
Data
Unfortunately for the patients, it appears the data involved would be the patient’s name, address, date of birth, social security number, insurance contract information and numbers, and medical information. This is truly bad for the patient’s involved. This data is very saleable and marketable multiple times, depending on how it is bundled.
Help for the Patients
The patients are being offered identity theft protection through AllClear ID for 12 months. This also allows for an annual credit score and credit report, and a $1M identity theft insurance policy. Although this sounds good, the length honestly should be much longer. Any person with the patient’s data will probably wait for one year and one month before using this, to the patient’s detriment.
Questions/Concerns/Comments
In the review of the overall environment, there are a few questions. The business used WSG for mailing services. This is perfectly acceptable and a part of the natural operations. As WSG focus is mailing, why would they have access to medical records, and why were they on WSG’s system? The medical records are not associated with a list of people to mail information to. Possibly they were mailing bills, however, this would be the only circumstance for a viable reason.
It took the business over five months to notify the users/patients of the cybersecurity issue. The patients were exposed for over five months. During this time, they were unaware of the data being out there sold.
The forensic team did not believe any data was exfiltrated or “extracted” yet the patient’s information was affected. Thinking through the events, if the attacker is focussed on the system and risking federal prison, is the attacker really going to not secure the data and walk away once they finally compromised the perimeter defense? This is not a viable option.
Thanks for visiting Woesnotgone Meadow, where the encryption is strong, and the O/Ss are always using the latest version.
Resources
1051 The Bounce. (2019, March 11). Are you one of the 600,00 michigan residents affected in data breach. Retrieved from https://1051thebounce.com/2019/03/11/are-you-one-of-600000-michigan-residents-affected-in-data-breach/
13ABC. (2019, March 11). Michigan residents warned about health care data breach. Retrieved from https://www.13abc.com/content/news/Michigan-residents-warned-about-health-care-data-brech-506985321.html
62CBS Detroit. (2019, March 11). Health care data breach affects 600k michigan residents. Retrieved from https://detroit.cbslocal.com/2019/03/11/health-care-data-breach-affects-600k-michigan-residents
Davis, J. (2019, March 12). More than 600,000 affected by michigan health care data breach. Retrieved from https://securitytoday.com/articles/2019/03/12/more-than-600000-affected-by-michigan-health-care-data-breach.aspx?m=1
Goedert, J. (2019, March 15). 600,000 affected by huge data breach in michigan. Retrieved from https://www.healthdatamanagement.com/news/600-000-affected-by-huge-data-breach-in-michigan
Scott. (2019, March 12). Data breach may have exposed 600,000 michigan residents. Retrieved from https://smallbusinessbigthreat.com/blog/2019/03/12/data-breach-may-have-exposed-600000-michigan-residents/
Strachan, J. (2019, March 11). More than 600,000 in Michigan Affected by health care data breach. Retrieved from https://patch.com/michigan/across-mi/more-600-000-michigan-affected-health-care-data-breach
The Associated Press. (2019, March 11). Michigan residents warned about health care data breach. Retrieved from https://www.kansas.com/news/business/article22740489.html
Wolverine Solutions Group. (2019, February 27). Notice of breach/cybersecurity incident-updated 02.27.2019. Retrieved from https://www.wolverinemail.com/cyber-security-event/
Wolverine Solutions Group. (2019, February 28). Letter signed by Robert Tokar.
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.