Breach of Health-Care Provider May Have Affected 500,000
(TNS) — A cyberattack reported by Madison-based Group Health Cooperative of South Central Wisconsin in January affected 533,809 people, the HMO told federal regulators this week, and the stolen data may include Social Security numbers.
On Thursday, Madison attorney Sam Strauss filed two class-action lawsuits in Dane County Circuit Court against Group Health over the data breach.
One suit, filed on behalf of Madison residents and Group Health patients Gabriella Jenich and Margaret Hetzler, accuses Group Health of negligence, saying it “failed to implement reasonable protections to safeguard” patient information and failed to respond to the breach appropriately. It defines Group Health as medical clinics, pharmacies and providers.
The other suit, filed on behalf of Superior resident Daniel Pearson, is similar but defines Group Health as a member-owned health plan.
Group Health identified unauthorized access to its network on Jan. 25, according a statement it released Tuesday. Its information technology department secured the network, making several systems temporarily unavailable.
The hacker attempted to encrypt the company’s systems but failed. Group Health reported the incident to the FBI and hired outside help to restore and verify the security of its network and investigate the attack.
On Feb. 9, the company discovered indications that the attacker had copied some of its data, including protected health information. The stolen data may include names, Social Security numbers, addresses, phone numbers, email addresses, dates of birth or death, Group Health member numbers, Medicare numbers and Medicaid numbers.
“Our discovery was confirmed when the attacker, a foreign ransomware gang, contacted (Group Health Cooperative of South Central Wisconsin) claiming responsibility for the attack and stealing our data,” the statement said. “We have no indication that information has been used or further disclosed.”
Group Health representatives on Thursday declined to comment on the lawsuits. Spokesperson Kate McLaughlin said current and past members of the HMO, which has about 80,000 members, and current and past patients of its providers are included in the total of more than 500,000 people.
Group Health said it has taken additional steps to mitigate harm by working with the FBI and the U.S. Cybersecurity and Infrastructure Security Agency. It has informed potentially affected individuals, state and federal agencies and consumer reporting agencies.
“To reduce the risk of this happening again, we have implemented enhanced security measures across all our systems and networks,” the HMO said. “This includes strengthening existing controls, data backup, user training and awareness, and other measures.”
People with questions can call member services at 800-605-4327. People who think they may have been affected but did not receive a notification letter can contact privacy@ghcscw.com or call 608-662-4899.
© 2024 The Wisconsin State Journal (Madison, Wis.). Distributed by Tribune Content Agency, LLC.