Michigan – Following recent incidents where patients’ personal details were leaked, Michigan’s Attorney General Dana Nessel has called on legislators to make it mandatory for businesses to report such breaches immediately to her office.
Nessel expressed her frustration in an interview with MLive on Thursday, Dec. 28, about the limitations she faces in quickly addressing data breaches. She is responsible for consumer protection in Michigan but feels her hands are tied.
She pointed out that in 34 other states, there’s a requirement for businesses to inform state authorities when a data breach happens. Nessel, who deals with identity theft cases, often finds out about these breaches much later, usually from news reports. She believes companies must be accountable for data leaks. She also noted that other states have various ways of encouraging businesses to improve their data protection methods.
This week, Attorney General Dana Nessel announced a data breach at a vendor used by Corewell Health. This incident impacted around 1 million patients in southeast Michigan. There was also a previous breach at another Corewell Health vendor, which put another 1 million patients in the same area at risk.
The vendor involved in the most recent breach, HealthEC, informed its customers in late October about a breach that occurred in July, according to Nessel.
The first breach affecting Corewell Health patients happened on May 30. This breach was at Welltok Inc., a company providing patient communication services to Corewell. Announced on December 1, it affected 1 million people in Michigan and 8.5 million nationwide, as per Nessel.
Additionally, about 2,500 members of Priority Health were impacted in this first breach.
Nessel’s office found out about these breaches involving Corewell Health patients through news reports.
Hackers might have accessed patients’ personal details like names, addresses, Social Security numbers, birth dates, health conditions, prescription data, health insurance details, and treatment costs.
Attorney General Dana Nessel mentioned that if consumers knew their sensitive information was at risk, they could have acted sooner to safeguard themselves.
HealthEC is offering a year of free credit monitoring and identity protection services through TransUnion for those who might be impacted by the recent breach. Individuals can call 833-466-9216 for further details.
Welltok discovered a security issue in its MOVEit Transfer Server, and third-party cybersecurity experts found that an unauthorized person accessed the server around late May.
Welltok is reaching out to those whose data was in the compromised files. They provide advice on preventing fraud on their website.
According to the Identity Theft Resource Center, the healthcare sector is highly vulnerable and it’s usually on the top of the list when it comes to cyber attacks. The reason behind is the fact that the healthcare sector has large amount of data including sensitive data for the patients.