Patients at Sparrow and McLaren hospitals are getting letters informing them their personal information may have been exposed to hackers.
The hackers didn’t get into either hospital’s system. Instead, they attacked a company that handles billing for the hospitals using ransomware to encrypt the data.
Multiple viewers sent News 10 pictures of a letter they got from medical billing company, Wolverine Solutions Group, informing them of a data breach.
The letters were addressed to people who were patients at both Sparrow and McLaren.
“In late September, Wolverine experienced a ransomware attack which affected some of our servers and unfortunately one of those servers did contain personal client data,” said Darryl English, President of Wolverine Solutions Group.
Addresses, social security numbers, clinical and insurance information may have been exposed to hackers. English said there’s no evidence that info was actually accessed.
“After an extensive forensic investigation, we were not provided with any information or evidence that leaves us to believe that any information was either taken from our system or either used in an inappropriate way,” said English.
Patients were still alerted out of an abundance of caution and because their data may still be affected.
Because it’s an ongoing investigation, English can’t provide specifics on how the hack happened or who may be responsible.
Troy Baker, a Manager with Better Business Bureau Communications said hospital and medical facilities are being targeted more because hackers can get data and money.
“Keep track of your credit reports and really keep an eye on your accounts and make sure nothing goofy ends up happening,” he said.
Even though these letters specifically say Sparrow and McLaren patients may have had their data exposed, neither hospital will confirm that. They referred News 10 to Wolverine.
Here is Sparrow’s full statement:
“Sparrow recommends reaching out to Wolverine Solutions Group at 1-855-263-1282 for additional information regarding this event.”
English said privacy policies don’t allow it to release the names of the affected providers.
The letters also say the data breach did not impact either hospital’s servers or electronic health record systems. Wolverine hopes to have notified all customers by the end of this month.
If your identity is stolen, call police or contact the Federal Trade Commission.
Date: March 11, 2019