The personal information of about 33,850 Michigan Medicine patients was compromised in a phishing scheme targeting employee emails, the Ann Arbor-based health system announced Thursday.
The cyberattackers were able to obtain the names, medical record numbers, addresses, dates of birth, diagnosis and treatment information, and/or health insurance information of certain patients. Details about the coordination and care of some patients were also compromised.
Michigan Medicine, which is the academic medical center for the University of Michigan, is notifying patients by mail this week of the breach, which occurred between August 15 and August 23.
After:Michigan Medicine data breach may have exposed some patients’ health information
After:Why You Can’t Ignore Hackers and Data Breaches, Like T-Mobile’s
Employees Phished on Thieves Website
Four employees were lured by phishing emails to a website designed to steal their Michigan Medicine login information. They accepted multi-factor authentication prompts which allowed the cyber attacker to access their email accounts.
The health system learned of the breach on August 23 and the accounts were immediately disabled.
In a statement, the health system said: “No evidence was uncovered during the investigation to suggest that the purpose of the attack was to obtain patient health information from email accounts. compromised, but data theft could not be ruled out. As a result, the email accounts and their contents were presumed compromised.”
A review of emails and attachments was completed on October 17.
“As soon as Michigan Medicine learned that the email accounts were compromised, the accounts were disabled so that no further access could take place and immediate password changes were made,” the health system said in a statement. “Additional technical safeguards on our email system and the infrastructure that supports it have also been put in place to prevent similar incidents from occurring. The email accounts did not contain any credit card numbers, debit card or bank account. A patient received a separate notice because his Social Security number was involved.”
Patients should pay attention to benefit statements
A similar phishing attack in December 2021 compromised the health information of 2,920 Michigan Medicine patients.
The health system said employees need to undergo additional training and education about cyberattacks, and Michigan Medicine is evaluating whether it can put additional technological safeguards in place to protect its messaging system.
“Patient privacy is extremely important to us and we take this issue very seriously. Michigan Medicine immediately took steps to investigate this matter and is putting in place additional safeguards to reduce risk to our patients and help prevent recurrences,” Michigan Medicine chief compliance officer Jeanne Strickland said in a statement. a statement.
The health system urges all affected patients to monitor their medical insurance records for the possibility of fraudulent transactions. Information about potential identity theft is available from the Federal Trade Commission at www.identitytheft.gov/#/Warning-Signs-of-Identity-Theft.
Anyone concerned about the breach can call 833-814-1736 between 9 a.m. and 9 p.m. Monday through Friday.
Contact Kristen Shamus: [email protected] Follow her on Twitter @kristenshamus. Subscribe to the free press.