ANN ARBOR – Michigan Medicine has announced that a recent breach could have exposed private health information.
The health system is working to notify approximately 33,850 patients whose information may have been compromised as the result of a cyber attack between Aug. 15-22 directed at employee emails.
According to Michigan Medicine, employees were targeted by cyber attacker with a “phishing” scam. They were sent a link that prompted employees to enter their Michigan Medicine login information.
“Four Michigan Medicine employees entered their login information and then inappropriately accepted multifactor authentication prompts which allowed the cyber attacker to access their Michigan Medicine e-mail accounts,” reads a release.
The health system learned of the compromised accounts on Aug. 23 and immediately disabled them.
Although officials said no evidence during an investigation that followed suggested the purpose of the attack was to obtain private health information, they said they could not rule out data theft.
A review of all the compromised emails and attachments to determine if sensitive data was leaked was completed on Oct. 17.
Patients affected by the incident will be notified by letters which were mailed between Oct. 19-26.
Some emails and attachments included identifiable information of patients such as name, address, date of birth, medical record number, treatment and diagnostic information and in some cases health insurance information.
Officials said the emails were “job-related communications for coordination and care of patients, and information related to a specific patient varied, depending on a particular email or attachment.”
Since the incident, the health system updated its email system to feature additional technical safeguards to prevent a similar future attack.
No financial information like credit card, debit card or bank account numbers were found in the emails. In one case, a patient’s Social Security Number was involved, and they received a separate notice, officials said.
Michigan Medicine said it will continue employee training and education to recognize scam emails when they encounter them. The employees involved in the incident are subject to disciplinary action, according to the health system’s policies and procedures. They had previously undergone training for scam emails.
“Patient privacy is extremely important to us, and we take this matter very seriously,” Michigan Medicine chief compliance officer Jeanne Strickland said in a statement. “Michigan Medicine took steps immediately to investigate this matter and is implementing additional safeguards to reduce risk to our patients and help prevent recurrence.”
Patients who do not receive a letter and are concerned about the breach can call the toll-free Michigan Medicine Assistance Line at 1-833-814-1736. between 9 a.m.-9 p.m. Monday through Friday.
More information about identity theft from the Federal Trade Commission can be found here.