After failed ransomware attack, hackers stole data on 533,000 people from Wisconsin insurance company

One of the largest health insurance companies in Wisconsin said hackers that launched a failed ransomware attack were still able to steal troves of sensitive information on more than half a million people.

In notices on its website and with regulators, Group Health Cooperative of South Central Wisconsin (GHC-SCW) said its IT team discovered hackers intruding in their systems early in the morning on January 25. 

The hackers — which GHC-SCW did not identify — attempted to encrypt the company’s systems but failed.

With help from the FBI and an outside cybersecurity firm, the company was able to restore its systems. 

But on February 9, investigators realized that the hackers copied some of GHC-SCW’s data before attempting to launch the ransomware attack. 

The systems copied included names, addresses, phone numbers, dates of birth and death, Social Security numbers, healthcare plan members numbers, Medicare or Medicaid numbers and more protected health information. 

“Our discovery was confirmed when the attacker, a foreign ransomware gang, contacted GHC-SCW claiming responsibility for the attack and stealing our data,” the company said. 

“We have no indication that information has been used or further disclosed. Please be assured that we have taken additional steps to help mitigate any harm that might result from this incident by working with the FBI and U.S. Cybersecurity and Infrastructure Security Agency (CISA), informing all affected individuals, all necessary state and federal agencies, and certain consumer reporting agencies.”

In total, 533,809 people had information copied by the group — which has not come forward publicly to claim the attack. 

In addition to reporting the incident to state regulators, GHC-SCW also submitted notification to the U.S. Department of Health and Human Services. 

GHC-SCW has existed for nearly 50 years, operating as a not-for-profit, member-owned health plan providing healthcare to 79​,000 members and their dependents in south central Wisconsin. ​

The disclosure comes as multiple healthcare companies, hospitals and insurance companies continue to report ransomware attacks and breaches exposing the data of millions. 

Change Healthcare — whose shutdown by a ransomware attack has snarled much of the U.S. healthcare system — told Recorded Future News it is in the process of investigating attempts by a ransomware actor to sell data stolen from the company. 

Meanwhile, a prominent cancer hospital in California said last week that hackers may have accessed the information of more than 820,000 people during a cyberattack.

The hospital said it only discovered the incident on March 25.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.