ANN ARBOR (WWJ) -- Michigan Medicine has notified approximately 33,850 patients that compromised employee email accounts may have exposed some of their health information.
According to a Thursday press release from Michigan Medicine, a cyber attacker launched an email phishing scam between August 15, and August 23, 2022.
In the phishing emails, the scammer placed links to a webpage that asked employees to enter their login information and accept multifactor authentication prompts. This allowed the cyber attacker to gain access to these employees' Michigan Medicine accounts.
Michigan Medicine learned of the compromise on August 23. The affected accounts were disabled and password changes were made to prevent further outside access.
An investigation revealed no evidence that the purpose of the attack was to steal patient health information, but it is possible data theft did occur.
For the employee email accounts that were compromised, all emails and attachments required a thorough review to determine if sensitive patient data was accessed. The review was completed on October 17. Affected patients will receive letters -- sent between October 19 and October 26.
Some of the information found to be compromised included identifiable patient information, such as name, medical record number, address, date of birth, diagnostic and treatment information, and health insurance information.
Related
None of the affected emails were found to contain credit card, debit card or bank account numbers. One patient's social security number was potentially exposed, and that person has been sent a separate notice.
In addition to the immediate steps taken to disable the compromised email accounts, additional technical safeguards were put in place by Michigan Medicine.
“Patient privacy is extremely important to us, and we take this matter very seriously," said chief compliance officer Jeanne Strickland. "Michigan Medicine took steps immediately to investigate this matter and is implementing additional safeguards to reduce risk to our patients and help prevent recurrence.”
According to the press release, Michigan Medicine employees are required to undergo training to increase awareness of how cyberattacks are carried out and how to avoid them. The employees whose accounts were compromised had taken these trainings and are subject to disciplinary action under Michigan Medicine policies and procedures.
Michigan Medicine says they are also looking into their ability to place additional technical safeguards on their email system and IT infrastructure to prevent similar incidents.
Anyone who does not receive a letter but would like to check on their patient information can call the toll-free Michigan Medicine Assistance Line at 833-814-1736. Calls will be answered weekdays from 9 a.m. to 9 p.m.
As a precautionary measure, all affected patients are advised to monitor their medical insurance statements for any potential evidence of fraudulent transactions. Information about potential identity theft is available from the Federal Trade Commission.
Related
