533K record breach at Wisconsin Health Cooperative

Unauthorized access was detected in GHC-SCW’s network, affecting more than 533,000 individuals. 

What happened?

Group Health Cooperative of South Central Wisconsin (GHC-SCW) experienced a data breach due to a cyberattack, affecting over 533,000 individuals. The breach occurred when hackers gained unauthorized access to GHC-SCW's network on January 25. Although the hackers attempted to encrypt the systems, they were unsuccessful. However, they managed to copy sensitive data including names, email addresses, dates of birth and/or death, Social Security numbers, member numbers, phone numbers, and Medicare and Medicaid numbers.

The attackers, identified as a foreign ransomware gang, claimed responsibility for the breach and data theft. GHC-SCW has since collaborated with the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) to address the incident and has enhanced its security measures in response.

Although there is no proof of the mishandling of the information that was made public, GHC-SCW suggests that those affected must carefully examine any correspondence from their organization and report immediately if they discover unapproved services on their statements.

What is being said?

Group Health Cooperative of South Central Wisconsin told Health IT Security that the discovery of the data breach “was confirmed when the attacker, a foreign ransomware gang, contacted GHC-SCW claiming responsibility for the attack and stealing our data.” This was done after they detected unauthorized access to their network. 

GHC-SCW went on to advise the affected individuals to contact the organization if they notice unknown transactions on their statements.   

Why does it matter?

Immediately after the organization discovered the breach, they isolated the affected network. Isolating the network immediately after detecting unauthorized access helps prevent further infiltration and damage by the attackers. By isolating the compromised area, the organization can contain the breach and prevent it from spreading to other parts of the network or affecting additional systems. This assisted the security teams in assessing the extent of the breach and investigating the incident thoroughly without interference. Moreover, isolating the network could have helped in mitigating the risk of data exfiltration or manipulation by the attackers, minimizing potential harm to sensitive information, and reducing the chances of regulatory penalties or reputational damage.

GHC-SCW’s fast- action at the discovery of the breach is an exemplary move in containing and reducing the impact of any cybersecurity breach on the healthcare system. This also helps in gaining (or maintaining) patient trust.

Related: How to respond to a data breach

FAQs

What is a data breach?

Data breaches occur when protected health information (PHI) is disclosed without authorization. PHI includes highly sensitive, health-related data like medical records, billing details, insurance claims, and other related types of information.

What are the consequences of a HIPAA breach?

The penalties for HIPAA breaches can vary depending on factors such as the severity of the violation, the organization's level of negligence, and its efforts to address the breach. Fines for HIPAA violations can range from $100 to $50,000 per incident, with an annual maximum of $1.5 million for each type of violation. Additionally, organizations may face legal consequences, including lawsuits and civil monetary penalties, as well as mandatory corrective action plans imposed by the Department of Health and Human Services (HHS). Beyond the financial repercussions, a HIPAA breach can damage an organization's reputation and erode patient trust, potentially leading to a loss of business and credibility within the healthcare community. Therefore, maintaining robust security measures and adhering to HIPAA compliance standards are imperative for safeguarding patient data and mitigating the risks associated with breaches.

Go deeper: What are the penalties for breaching HIPAA?

Who is responsible for enforcing HIPAA?

The enforcement of the Health Insurance Portability and Accountability Act (HIPAA) is overseen by the Office for Civil Rights (OCR).

Go deeper: Who is responsible for enforcing HIPAA?