Michigan Medicine notifies patients of health information breach
ANN ARBOR, Mich. — Michigan Medicine is notifying approximately 5,500 patients about a phishing email campaign that may have exposed some of their health information.
During the campaign, emails containing a malicious link were sent to over 3,200 Michigan Medicine employees. If the link was clicked, employees were directed to a webpage that looked like a legitimate site requesting the username and password for their email account.
In July 2019, three employees clicked into this email, resulting in the perpetrator gaining access to the employees’ email accounts. The accounts were then used to continue to send additional phishing emails. Michigan Medicine discovered the compromised accounts on July 9 and July 12.
As soon as Michigan Medicine learned that the email accounts were compromised, they were disabled so no further access could take place until the passwords were changed.
Additionally, the malicious emails were deleted from all employees’ email accounts, and any employees identified as having received the malicious email were subject to mandatory password resets.
Through the investigation of the incident, no evidence was uncovered to suggest that the aim of the attack was to obtain patient health information.
However, data theft could not be ruled out. As a result, all of the emails of the employees involved were presumed compromised and the contents of the email accounts were analyzed. Two of the three employees’ compromised email accounts included emails that contained identifiable patient information. These accounts were compromised on July 8 and 12.
The identifiable information in those emails included a combination of one or more of the following: names, medical record numbers, addresses, dates of birth, diagnostic and treatment information, and health insurance information. A small subset of the emails also included Social Security numbers.
“Patient privacy is extremely important to us, and we take this matter very seriously. Michigan Medicine took steps immediately to investigate this matter and is implementing additional safeguards to reduce risk to our patients and help prevent recurrence,” said Jeanne Strickland, Michigan Medicine chief compliance officer.
Notices were mailed to the affected patients or their personal representatives.
Those concerned about the breach that do not receive a letter may call toll-free 855-336-5900, Monday through Friday, from 8 a.m. to 5 p.m.
While Michigan Medicine does not have reason to believe the accounts were compromised for the purpose of obtaining patient information, as a precautionary measure, all affected patients have been advised to monitor their medical insurance statements for any potential evidence of fraudulent transactions. Additionally, complimentary credit monitoring and identity theft protection services have been offered to all patients whose health insurance information or Social Security number was involved.
In response to this event, Michigan Medicine is implementing additional technical safeguards to prevent similar future incidents. Additional training and education materials have also been implemented to increase employee awareness on the risks and proper handling of malicious emails.
Source: Michigan Medicine