Michigan Medicine data breach may have exposed some patients' health information – Detroit Free Press

An aerial view of University of Michigan Hospital.

Michigan Medicine is notifying about 2,920 patients that some of their health information may have been exposed when an employee’s email account was compromised.

The email account was compromised Dec. 23, resulting in a cyber attacker gaining access to and using the account to send phishing emails, the health system said in a release Thursday.

The employee learned about the breach when suspicious activity occurred Jan. 6 and immediately reported the situation to the health system’s information technology department. The email account was disabled and immediate password changes were made.

“No evidence was uncovered during our investigation to suggest that the aim of the attack was to obtain patient health information, but data theft could not be ruled out,” according to the release.

All of the emails involved were presumed compromised and the contents were reviewed to determine if sensitive data about any patients was possibly impacted. The analysis was done Jan. 31 through Feb. 15.

“Some emails and attachments were found to contain identifiable patient information, such as: names, medical record numbers, addresses, dates of birth, diagnostic and treatment information, and/or health insurance information,” according to the release.

“The emails were job-related communications for coordination and care of patients, and information related to a specific patient varied, depending on a particular email or attachment. However, no Social Security numbers, credit card, debit card or other financial account information were discovered.”

Notices were mailed to the affected patients or their personal representatives starting Thursday. They have been advised to monitor their medical insurance statements for any potential evidence of fraudulent transactions.

See also  Diagnosis for 2.21.22: Checking the pulse of Florida health care news and policy - Florida Politics

More:Why you can’t ignore the hackers and data breaches, like one at T-Mobile

More:‘Under attack’: How criminals stole hundreds of millions in unemployment benefits

The health system said additional technical safeguards were put in place on its email system and infrastructure to prevent similar incidents from occurring. It also is reviewing its cyber attack training and education materials for employees to make additional improvements.

“Patient privacy is extremely important to us, and we take this matter very seriously,” said Jeanne Strickland, chief compliance officer.

Anyone concerned about the breach who does not receive a letter can call an assistance line at 833-430-2163 from 9 a.m. to 11 p.m. Monday through Friday and 11 a.m. to 8 p.m. Saturday and Sunday. Refer to Engagement No. B028649.

More:Zane, a Detroit Zoo chimp, needed surgery. U-M docs did it laparoscopically

Last month, the health system notified 269 patients by mail about an incident that involved their health information in a separate data breach.

The health system found Jan. 27 that a newly hired employee accessed patient medical records without a business need between Dec. 1 and Jan. 25, according to a post Feb. 21 on its website.

The health system said the individual is part of and has close ties with the local Korean community and accessed records of patients he knows from this local network. His access was immediately cut off and he was terminated, according to the health system.

It said the individual’s actions were “solely out of curiosity.”

“There is no indication that information was further used or disclosed for other reasons. The individual viewed demographic and clinical information such as diagnosis, treatment, and test results. We believe the risk of identity or medical theft is low because no credit card, debit card, bank account, or Social Security numbers were involved.”

See also  March Research Roundup: What We’re Reading

Anyone who is concerned their information may have been involved in this data breach and have not received a letter by March 14 can reach out to the corporate compliance office  by calling 734-615-4400 or emailing Compliance-Privacy@med.umich.edu.

Contact Christina Hall: chall@freepress.com. Follow her on Twitter: @challreporter.

Support local journalism. Subscribe to the Free Press.