Companies don't have to report health data breaches in Michigan; AG Nessel wants change
- Oops!Something went wrong.Please try again later.
At least one-third of Americans — a record 123.9 million people — were hit in 2023 with health care cybersecurity breaches that compromised their protected medical information and other personal data, exposing them to risks of identity theft, fraud, damage to their credit and worse, according to a U.S. Health and Human Services database.
Michiganders were not spared. As many as 4.5 million people in the Mitten State may have had their personal health data compromised last year by cybercriminals in a series of attacks that targeted:
McLaren Health Care. The cybercriminal gang ALPFV or BlackCat claimed responsibility for a ransomware attack in late August, stealing the medical information of 2.5 million patients and leading McLaren to shut down its computer network.
HealthEC, Welltok, Westat and MoveIt Transfer, vendors contracted by two of the state's largest hospital systems — Corewell Health and Henry Ford Health. The breaches took place from March to July 2023 and affected more than 2 million people. In many cases, cybercriminals stole not only names, dates of birth, email addresses and phone numbers, but also medical diagnoses, health insurance information and Social Security numbers.
The University of Michigan. An August hacking incident shut down the computer network for several days across the university's three campuses and compromised the data of about 61,000 people. For some, that included Social Security numbers, medical and financial information. Affected in the cyberattack were research study participants and patients of the University Health Service and School of Dentistry, along with students, applicants, alumni, donors, employees and contractors.
Kent County Community Health Authority, also known as Network 180, and Michigan Orthopaedic Surgeons. Separate email phishing scams in October and December compromised personal data that may have included Social Security numbers, health insurance information, protected medical information and credit card numbers of a total of 127,000 patients and employees.
"I expect to see even more significant and more sophisticated types of scams, defrauding people or even blackmail or extortion," Michigan Attorney General Dana Nessel told the Free Press in an interview last week.
Nessel: 'We have to have strict penalties in place'
"This is not just people's Social Security numbers and their birthdays. That's bad enough. This involves the most intimate parts of a person's life. It's the communications between them and their physicians, and I very much worry about how that information will be used if it's available to be sold to criminals. These aren't well-intentioned actors. So, you know, it boggles the mind to think of all the ways that this information could be used to hurt people."
Nessel is calling on state lawmakers to introduce new legislation that would require companies, their vendors and contractors to notify the attorney general's office when cyberattacks occur and bolster the department's powers to investigate and hold them accountable.
"We are working with both members of the House and the Senate to try to have additional laws put in place that would better protect patients and consumers," she said.
"We have to have strict penalties in place and say: 'This is your business. This is the work that you've chosen to do, and you must safeguard people's very private information. If you fail to do it properly, there has to be a penalty associated with it or, frankly, you shouldn't be in the business in the first place.' "
Nessel said it's "outrageous" that companies doing business in Michigan are not required to report health care data breaches to any state agency.
Several states not only require notification to their attorneys general, but also set deadlines for disclosure. In Connecticut, the law requires reporting the breach within 90 days of when it was discovered. In Delaware, it's 60 days. Colorado limits the timing to 30 days after the discovery of stolen data.
Nessel said oftentimes, she first learns about cyberattacks when they are announced by the attorneys general in states with stronger notification laws.
Delays in reporting breaches to Michiganders
"We find out that the company has notified the Department of Attorney General in other states, but not here in Michigan for the exact same security breach because they're not required to" report it here, she said. "It's very upsetting, and we very much need that law to change."
Michigan's Identity Theft Protection Act doesn't set parameters for how quickly companies must notify consumers of data breaches, either, saying only that "notice must be made without unreasonable delay."
It took until mid-July for Detroit-based Henry Ford Health to notify some patients that an email phishing scheme dating to March allowed hackers to access protected health information.
Henry Ford said it conducted a forensics investigation and didn't determine until May 16 that information such as name, gender, date of birth, age, lab results, procedure type, diagnosis, date of service, telephone number, medical record number and/or internal tracking number "could have been accessed by the bad actor."
With the HealthEC and Welltok breaches of Corewell Health's protected patient information, letters weren't mailed to people whose data was compromised until four to six months later.
That's not fast enough, Nessel said.
"I would argue that is unreasonable," she said. "Corewell might say something very different ... but think of all the harm that a person can suffer within that period of time, especially when you're talking about this sensitive medical information."
What happens to data breach victims
Kelly Goldberg, 65, of Farmington Hills, spent hours trying to untangle the mess left in the wake of cyberattacks on Corewell vendors HealthEC and Welltok.
Her protected health data and that of two of her adult children were compromised in the breaches. She contacted the major credit reporting agencies and is monitoring her bills and insurance company statements for evidence of fraud.
"I wouldn't want someone trying to use my benefits to get health care for themselves or create a whole other identity. It definitely feels like a violation," she said.
She's helping her kids put safeguards in place, too. Goldberg's 28-year-old son's identity was stolen last year, and though they can't prove it, she said she can't help but speculate that the cybercriminals involved in the HealthEC and Welltok breaches could be to blame.
"He got a notice that his credit card company was lowering his credit limit due to adverse remarks on his credit report," Goldberg said. "So he dug and dug and found out someone had taken out a Discover card in his name. I don't have conclusive proof that it was related to this data breach, but it was within the same time period."
It troubled her, too, that the notifications about their stolen data came from the vendors HealthEC and Welltok, but not the health care company Goldberg knows, Corewell Health.
"Since my relationship is with Beaumont/Corewell, I would have expected that they would have individually contacted patients," Goldberg said. "They should have to report it.
"I would love to see a heavy-hitting law firm investigate this, and claw back some kind of recompense and hold them to account. It's not even about money. It's about holding them accountable, and living up to the obligation to keep HIPAA-protected information private."
State lacks investigative tools for breaches
Nessel agrees with those sentiments. Accountability, she said, begins with notification and a proper investigation of what led to each data breach.
"We're really interested in making amendments to the Identity Theft Protection Act that would allow our department to have additional investigative tools that we don't really have right now," Nessel said. "In investigating a company, oftentimes we have to rely on their cooperation. It's voluntary on their part."
Nessel, a former prosecutor, likened the current law's limitations to trying to lead a criminal investigation of an alleged drug dealer on a strictly voluntary basis.
"What if the only tool that I had available to me was to ask this alleged drug dealer: 'Would you provide us with any evidence of your drug dealing so that we could potentially use it then to penalize you or to prosecute you?' Who would cooperate? Luckily, we can go to a judge and get a search warrant if we have probable cause to search a home or a business or a vehicle. We have investigative subpoenas and we can get an order from a judge so that a witness has to sit down under oath and talk to us.
"We don't have those kinds of tools available to us in this realm, and we really, we really need them."
Nessel said she'd also like to see stiff penalties and fines for violations.
"There need to be significant penalties," Nessel said. "There need to be fines that are appropriate for companies that do not tell their patients or their customers within a reasonable time frame. And when I say reasonable, we have to do a bit of a better job of defining what reasonable delay is."
Additionally, when protected health data is compromised — even if a contractor is to blame — Nessel said letters should be mailed by the primary health care organization, such as Corewell in the case of the affected patients in the HealthEC and Welltok breaches.
That's because few consumers would recognize either of the vendor names, but they would recognize Corewell.
When letters arrived in mailboxes in November and December from Welltok and HealthEC, Nessel said the phone began to ring from people who were confused and wanted to be sure the notifications were legitimate.
"I had a number of people say, 'I don't understand why I'm getting this letter. I don't have anything to do with this company.' " And, I had to tell them, 'Yeah, you do. You just don't know about it.'
"It really should be Corewell's responsibility to communicate so that people better understand that it's legitimate ... and don't just disregard it."
Her message to health systems and other organizations is this: 'You're responsible for the conduct of your vendors. You chose them ... and now you're responsible for their actions."
Health care companies likely will resist more penalties
Trustwave, a Chicago-based cybersecurity company, released a report in July that found 24% of all cyberattacks in the U.S. in 2022 targeted the health care industry.
The average cost of each breach was $11 million, said Karl Sigler, senior security research manager at Trustwave, noting that the steep price tag includes penalties, fees and fines, along with the costs associated with sending letters to notify consumers.
Relentless cyberattacks on the health care industry put financial pressure on hospitals that already are struggling, hospital leaders say. They are lobbying for fewer — not more — fines and penalties.
Nessel acknowledges that the state Chamber of Commerce, health care companies and industry trade groups are likely to oppose any legislation that would toughen the state's consumer protection laws and stiffen penalties around breaches of protected health data, but there is widespread support among consumers for it.
"No consumer wants to be subjected to having their personal information sold on the dark web after a data breach," Nessel said. "... I look at red states around the country, and many of them have better laws than we have here. So it's bewildering to me when that argument is made.
"I strongly urge our lawmakers and the governor to take swift action on this."
Protect yourself from cyberattacks
In the meantime, Nessel's best advice to protect yourself is to never ignore a letter that says your protected personal information has been compromised. Act as soon as possible by:
Changing your passwords and using two-factor authentication to sign in to important online accounts.
Contacting the three credit reporting bureaus: TransUnion, Experian and Equifax. Consider putting a security freeze or fraud alert on your credit report and signing up for credit monitoring.
Getting a free credit report at www.annualcreditreport.com and checking it for discrepancies.
Monitoring your bills, health insurance statements, bank account activity and watch for anything suspicious or out of the ordinary.
If you suspect you are a victim of identity theft, report it to your local police department and immediately challenge fraudulent purchases and charges made through your bank/credit cards. Other tips and suggestions are available online at michigan.gov/consumerprotection.
Contact Kristen Shamus: kshamus@freepress.com. Subscribe to the Free Press.
This article originally appeared on Detroit Free Press: 4.5M Michiganders' health data exposed in cyberattacks; expect more
