A ransomware attack may have accessed the names, addresses, social security numbers and medical information of customers of several Michigan healthcare companies. (iStock/iStock)

By Hamza Shaban

Hamza Shaban

Technology reporter

Email Bio Follow

March 11

The personal information and medical data of more than 600,000 people in Michigan may have been compromised in a cyberattack, the state’s attorney general said Monday.

Hackers may have accessed the names, addresses, social security numbers and medical information of customers of several Michigan healthcare companies, including Blue Cross Blue Shield of Michigan, Health Alliance Plan and McLaren Health Care, Dana Nessel said.

The business that hackers targeted, Wolverine Solutions Group (WSG), a healthcare company that partners with health plans and hospital systems, said that it has begun notifying clients whose information was compromised by the breach.

WSG said it discovered the breach in September, when malicious actors accessed and infected its network with malware. Rather than merely stealing customer data, WSG said, the hackers seized control of the company’s records, encrypting them and making them inaccessible in an effort to extort the company. Hospitals and government offices are among the frequent targets of ransomware.

WSG issued an updated public notice to customers last month, stating that affected consumers would receive identity protection services and urged customers to take additional steps to protect themselves.

The notice does not say how hackers gained access to WSG’s systems, how long they remained undetected, or how the company first learned of their presence. WSG said that it has “migrated to a different computer system that has added protections and trained our workforce in safeguards.”

Wolverine Solutions Group did not immediately respond to a request for comment.

WSG said there currently is no indication the hackers extracted customer data from its servers, but that it mailed the letters “out of an abundance of caution” and because the data included sensitive medical information.

Nessel said that Michigan, unlike some states, does not require companies to notify the attorney general’s office of data breaches. Her office learned of the breach from news reports, she said, and has asked WSG to provide it with more information.

Nessel suggested that affected individuals take steps to safeguard their information, including enrolling in the free identity protection services, placing a fraud alert on their credit file and consider freezing their credit file.

The advisory comes as lawmakers on Capitol Hill voice growing interest in advancing data-security legislation that would require companies to better protect personal data and more swiftly alert consumers about cyberattacks. At a congressional hearing last week, senators took aim at Equifax and Marriott, both recent cyberattck targets. Lawmakers criticized the companies for what they described as lax cybersecurity practices.