Wolverine Solutions Group (WSG) is a Detroit, Michigan-based company that provides mailing, printing, and administrative services to hospitals and healthcare organisations — including processing and mailing documents such as explanation-of-benefits letters, insurance cards, and other sensitive member communications on behalf of healthcare clients.

In September 2018, WSG discovered that its network had been compromised by a ransomware attack. The attackers encrypted the company’s files and rendered its systems inoperable, disrupting its ability to serve its hundreds of healthcare clients. While there was no confirmed evidence that the attackers exfiltrated data, the encryption event gave attackers potential access to the personal and medical records of patients and insurance members held in WSG’s systems.

The breach was not publicly disclosed until March 2019 — approximately five months after discovery — a timeline that drew scrutiny from the Michigan Attorney General and state regulators. By the time notifications were issued, WSG had been forced to notify more than 700 client organisations and potentially 1.2 million patients.

Affected Michigan healthcare organisations included Blue Cross Blue Shield of Michigan, Health Alliance Plan, McLaren Health Care, Three Rivers Health, and North Ottawa Community Health System, among others. Michigan’s Attorney General Dana Nessel and Department of Insurance and Financial Services (DIFS) Director Anita Fox issued a public statement on March 11, 2019 urging affected residents to take precautions.

Exposed information potentially included names, addresses, dates of birth, Social Security numbers, insurance contract information and numbers, phone numbers, and medical information — the full range of sensitive data typical of health insurance and provider communications.

WSG arranged for affected individuals to receive identity protection services through AllClear ID. The company’s prolonged notification timeline drew regulatory attention; under HIPAA’s Breach Notification Rule and applicable state laws, covered entities and their business associates are generally required to notify affected individuals within 60 days of discovering a breach.

This incident illustrates how a mid-tier administrative services vendor — with no direct patient care function but holding vast quantities of PHI on behalf of dozens of healthcare organisations — can become a high-impact attack vector against the broader healthcare sector.