More than 5 months after a ransomware incident, Wolverine Solutions Group is still in the process of notifying more than 700 companies and 1.2 million patients. Should they even have to, or has the government imposed too burdensome a responsibility on entities that experience attacks to individually notify patients when there is no evidence of data theft or disclosure of private information?
Back in January, DataBreaches.net noted that a ransomware incident at Wolverine Solutions discovered on September 25, 2018 had resulted in notifications to patients or members of at least two of its clients or clients’ clients: Blue Cross Blue Shield of Michigan (undisclosed number) and Equian, who sent notifications to 895 Molina Healthcare members.
Today, I saw a small article on ThreeRiverNews that provides additional information:
Wolverine Solutions Group, a subcontractor to a vendor Three Rivers Health uses for patient billing services, recently reported a data security incident that will affect over 8,000 Three Rivers Health patients, as well as 700 companies and 1.2 million individuals nationwide. The data breach did not involve Three Rivers Health’s electronic medical records or other information systems, according to Three Rivers Health CEO Dave Shannon.
“Several months ago Wolverine (Solutions Group) noticed they had someone who infiltrated their system for about five to eight minutes on two different occasions,” Shannon said at press conference Friday.
“They had a forensic audit done that took a long time, and we really just found out about it about two weeks ago. (Wolverine Solutions Group) believes the potential for people being affected is very small.”
So if Wolverine notified BCBS of Michigan on November 8, 2018, and they only first notified Three Rivers back in mid-February, will HHS/OCR find that an acceptable gap to notification? Obviously if the entity had 700 companies to notify and they had to determine what patients or members of those clients would need notification, that is a massive task. But how much delay is acceptable to government regulators?
On February 27, Wolverine updated their breach disclosure to explain more of what happened after they discovered the ransomware on September 25, 2018, writing, in relevant part:
Shortly after WSG learned of the incident, we began an internal investigation and hired outside forensic security experts to help us. A team of forensic experts arrived on October 3, 2018 to begin the decryption and restoration process. All impacted files needed to be carefully “cleaned” of any virus remnants prior to their review by forensic investigators. Most critical programs requiring decryption were restored by October 25, 2018, and WSG’s critical operations were running by November 5, 2018. However, the forensic team continued its decryption efforts on the impacted files to determine the type of information that was affected, the identities of our Healthcare Clients, and the specific individuals involved. Beginning in November and continuing in December, January, and early February, WSG discovered and was able to identify those Healthcare Clients whose information was impacted by the incident. The timing of our notices to impacted individuals has been based on these “rolling” discovery dates. The first notices were mailed on December 28, 2018. Additional notices have been mailed in February and further notices will be mailed in March.
As a result of our investigation, WSG believes that the records were simply encrypted. There is currently no indication that the information itself was extracted from WSG’s servers. Nevertheless, given the nature of the affected files, some of which contained individual patient information (names, addresses, dates of birth, social security numbers, insurance contract information and numbers, phone numbers, and medical information, including some highly sensitive medical information), out of an abundance of caution, we mailed letters to all impacted individuals recommending that they take immediate steps to protect themselves from any potential misuse of their information.
So they have “rolling” discovery dates? I do not see how that justifies delayed notification to clients and clients’ patients or members. I can see arguing, “Hey, we have no evidence of any exfiltration and the data were just locked up, so there’s no urgency about notification as people’s care and information is not at risk,” but to suggest that entities can be considered compliant when there is a “rolling discovery” process that results in months’ delay in notification does not seem appropriate to me — or consistent with the intent of the regulations to provide timely notification of breaches.
But maybe it is time to revisit HHS’s interpretation of the regulations and reconsider whether entities really do need to individually notify patients or companies if forensic investigation finds no evidence at all of exfiltration and that the only impact was files were locked up. Seriously: if files are locked up by ransomware but the entity can restore from backup so file corruption isn’t even a concern, explain to me why the entity should have to start individually notifying patients. Of what benefit is that to the patients at that point? If an entity had inadequate security — i.e., if they were out of compliance with HIPAA’s Security Rule, then fine them. But why require them to spend months and months on investigation and notifications that do not protect the patients but that divert funds and resources that could be otherwise used?
I have no idea how much this incident has cost Wolverine already or what the total cost will be eventually, but is the HIPAA “cure” worse than the disease at this point? Feel free to sound off in the Comments section.
First note: we’re talking about a breach of unsecured PHI, not a breach of HIPAA — remember, failing to give a patient a NoPP or failure to train employees is a HIPAA breach, even though it’s is to notify the individuals.
The “cure” for a breach is to notify affected individuals. So you need to know two things with some certainty: did you have a breach, and if so, whose PHI was exposed, so you can notify them.
These are the two gating questions for Wolverine: was there a breach, and if so, who needs to be notified (and when)? Under the first question, if they can prove no data exfiltration, then they have a strong argument that there’s no breach at all. No breach, no reporting requirement. However, in some cases, even though you’re highly confident (there’s a very low probability that the data got out — the laptop dropped into the blast furnace probably won’t be recovered, and if it is, the data on it will likely be unrecoverable) there’s no breach, you might still notify, just to be safe. That seems to be the base of Wolverine’s argument. Again, if you have no duty to notify, you can’t be late in providing notification.
The second (and third) items are who to notify, and when. Notification is required to affected individuals, and as I noted on Twitter, without unreasonable delay but no later than 60 days. So 60 days is drop dead, but if sooner is reasonable, that’s your actual deadline. But who do you report to if you don’t know who was affected? And 60 days (or less) from when? If you don’t know who to report to, it’s hard to meet an obligation to report to them. And you can’t be expected to report something you don’t know about, so the clock starts running at “discovery.” (Caveat: you can’t be willfully ignorant, there’s “deemed” discovery when you should have known.) The issue for Wolverine is, when did they discover? If they had a breach but didn’t know some particular person was involved until January 1, one could argue that’s when the clock starts ticking for notification to that person. Thus, rolling notification could be appropriate.
However, when you’re dealing with a Business Associate’s breach, the BA’s obligation is to report to the CE, and the terms are as set out in the BAA. The 60 day clock is usually 3-5 days. But there’s still the issue: when was the breach discovered? The incident may have been discovered on January 1, but if the BA doesn’t know that CE client X’s data was involved until February 1, that might be the clock-starting date.
Thank you for spending the time to spell that all out. I’m not sure I understand how a BA could prove to HHS — or a client, for that matter — that they couldn’t reasonably have discovered the clients to be notified and patients faster. So if this BA notified one client in November and December, why couldn’t they have equally promptly discovered the others whose data were on the same server and locked up by the same ransomware? Would HHS or the client CE argue that they could have discovered it more promptly and it’s just a matter of the business not Having hired enough staff to do faster incident response? I don’t mean to sound unsympathetic to the business, and I think a business would have to be very brave and have deep pockets if they wanted to fight HHS/OCR on the issue of whether notification was even required. And from my post, I hope it’s clear that I think these regs are overburdensome as they are being interpreted. I’d much prefer HHS/OCR to go after/pursue other issues related to breaches and notification than this type of situation.
As a consumer and not a business person I have the following question.
For all the calls I get soliciting me to buy a product, use a service or consider their company for a reason, I always wonder how the caller knew my specific birthday (to enroll in Medicare during my enrollment window), that I have had my knee replaced and that I have high cholesterol. How did they get that info? The calling company always says they get their lists from a third party vendor that they will not name.
So my question is, did my hospital or insurance company SELL my information or was it obtained in a breech. How is it that these companies obtain this PHI in any way? To specifically target me based on my health conditions?
Your hospital, your health insurance company, every sizable company is really just a cloud of vendors that perform most of the mundane business processes (IT, HR, PR, finance, marketing, customer service, crisis management, logistics, etc.) around the client organization nucleus. Why would you want your hospital to expend unnecessary resources performing accounting and billing functions? You want your hospital to focus on one thing: curing you. Other stuff gets outsourced around the country and world, thanks to the internet, to vendors who specialize in providing “solutions” which allows clients to focus on their core mission at a lower cost. Transferring and marketing through your PHI and personal identifying information is part of the bargain for lower costs. I know, what lower costs? It sucks sometimes, but there you go. With some professional foresight and dumb luck, hopefully Wolverine followed industry standards and the information was encrypted on its server, so it was worthless for the thief to download. Sounds like they were left with the choice of encrypting over the already encrypted data and running a bluff to see if it would pay off.
Sorry, you do not want to get me started on oursourced billing services. I have dealt with individuals who have no knowledge or abilities to give someone who works in the industry basic information like procedure or diagnosis codes. This allows the hospital to hide from complaints that need specific billing information to correct without out significant effort to talk to someone who can access records.
Now I hear Wolverine has somehow avoided HIPPA penalties. The requirement is 60 days from discovery. That would have been late November or early December Not February.
How are they claiming “rolling discovery”? They notified BCBSM in December but Sparrow hospital in February. Were they separate instances? If not I would think fines should be assessed. 700 companies and 1.2 million people!!! Sounds like there was no security to stop the hackers from getting into everything!
I’m not sure why you think that Wolverine avoided any HIPAA penalties as HHS/OCR has not closed any case or investigation — at least not to my knowledge. Did you read something definitive on that somewhere?
Obviously the idiot that wrote this article suggesting that Wolverine Solutions Group is not liable for notifying victims of the data breach is NOT one of the victims and would easily take the word of a company trying to cover itself. In my letter which is dated March 1, 2019 and which I received today March 6, 2019, only states we have no evidence that this information (which includes my social security number) has been accessed or extracted. The letter does NOT say we have evidence and are 100% confident that your information was not accessed or extracted. They have proved nothing to guarantee that the 1.2 million people impacted are not at serious risk. They do not have guaranteed evidence that the data was not extracted. They just can’t prove definitively that it was extracted. That is a big difference in those two statements. In my opinion if they cannot prove with 100% certainty that the information was not extracted they had the responsibility to notify victims early.
Furthermore, my letter states that Sparrow which is the health care provider that gave a direct marketing company my personal and private information was informed on December 10, 2018. Why then did it take them almost 3 months to notify me personally?I also heard nothing from Sparrow. This is absolutely unacceptable and I will be pursuing any process available to me to hold this company accountable for causing me to worry for years to come that my social security number and other data has been compromised.
This company needs to be held accountable!N
I see no idiots in this thread. We were fortunate to have an expert HIPAA lawyer chime in on some complex issues that come up when considering duty to notify and time frames. You may not like his opinion, but please avoid ad hominem attacks.