Michigan Medicine notifies more than 30K patients of health information breach
ANN ARBOR, Mich. (CBS DETROIT) - Michigan Medicine is notifying approximately 33,850 patients about employee email accounts that were compromised which may have exposed some of their health information.
The health system says a cyber attacker targeted employees with an email "phishing" scam from Aug. 15-22. They were sent a link that promoted employees to enter their Michigan Medicine login information.
"Four Michigan Medicine employees entered their login information and then inappropriately accepted multifactor authentication prompts which allowed the cyber attacker to access their Michigan Medicine e-mail accounts," reads a press release.
Michigan Medicine learned the email accounts were compromised on Aug. 23 and immediately disabled them.
The health system says no evidence during the investigation suggested the purpose of the attack was to obtain patient health information from the compromised email accounts, but data theft could not be ruled out.
A review of all the compromised emails to determine if sensitive data was leaked was completed on Oct. 17.
Patients affected by the incident will be notified by letters which will be mailed between Oct. 19-26.
Some emails and attachments included identifiable patient information such as: name, address, date of birth, diagnostic and treatment information, and health insurance information.
No financial information like credit card, debit card, or bank account numbers were found in the emails.
Since the incident, Michigan Medicine updated its email system to feature additional technical safeguards to prevent a similar future attack.
The health system says it will continue employee training and education to recognize scam emails when they encounter them. The employees involved in the incident are subject to disciplinary action, under Michigan Medicine policies and procedures.
"Patient privacy is extremely important to us, and we take this matter very seriously. Michigan Medicine took steps immediately to investigate this matter and is implementing additional safeguards to reduce risk to our patients and help prevent recurrence," said Jeanne Strickland, Michigan Medicine chief compliance officer.
Patients who do not receive a letter and are concerned about the breach can call the toll-free Michigan Medicine Assistance Line at 833-814-1736. between 9 a.m.-9 p.m. Monday through Friday.
