Michigan Medicine notifies patients of health information breach

Michigan Medicine is notifying approximately 33,850 patients about employee email accounts that were compromised which may have exposed some of their health information.

From August 15 through August 23, 2022, a cyber attacker targeted Michigan Medicine employees with an email “phishing” scam. In this scam, the attacker lured employees to a webpage designed to get them to enter their Michigan Medicine login information. Four Michigan Medicine employees entered their login information and then inappropriately accepted multifactor authentication prompts which allowed the cyber attacker to access their Michigan Medicine e-mail accounts. Michigan Medicine learned the email accounts were compromised on August 23, 2022. The accounts were disabled as soon as possible so no further access could take place and password changes were made.

No evidence was uncovered during the investigation to suggest that the aim of the attack was to obtain patient health information from the compromised email accounts, but data theft could not be ruled out. As a result, the email accounts and their contents were presumed compromised.  Thus, all the emails and any attachments to them required a detailed, thorough review to determine if sensitive data about one or more patients was potentially impacted. This review was completed on October 17, 2022. Affected patients will be notified by letter. Notices were mailed to the affected patients or their personal representatives starting October 19, 2022 and will be completed on October 26, 2022. 

Some emails and attachments were found to contain identifiable patient information such as:  Name; medical record number; address; date of birth; diagnostic and treatment information; and/or health insurance information. The emails were job-related communications for coordination and care of patients, and information related to a specific patient varied, depending on a particular email or attachment.

As soon as Michigan Medicine learned that the email accounts were compromised, the accounts were disabled so no further access could take place and immediate password changes were made. Additional technical safeguards on our email system and the infrastructure that supports it were also put in place to prevent similar incidents from happening. The email accounts did not contain any credit card, debit card or bank account numbers. One patient received separate notice because their Social Security Number was involved.  

Robust training and education materials are used to increase employee awareness of the risks of cyberattacks. This includes sending regular, simulated phishing emails (imitations) that Michigan Medicine initiates and manages so employees are trained on what to look for, and how to identify and report them. The employees involved in this incident had previously been involved in these training exercises, and they are subject to disciplinary action under Michigan Medicine policies and procedures. Michigan Medicine is very sorry and deeply regrets this incident has occurred.  Michigan Medicine also is assessing the ability to place additional technical safeguards on our email system and the infrastructure that supports it to prevent similar incidents from happening.

“Patient privacy is extremely important to us, and we take this matter very seriously. Michigan Medicine took steps immediately to investigate this matter and is implementing additional safeguards to reduce risk to our patients and help prevent recurrence,” said Jeanne Strickland, Michigan Medicine chief compliance officer.

Those concerned about the breach who do not receive a letter may call the toll-free Michigan Medicine Assistance Line: 1-833-814-1736. Calls will be answered from 9 a.m. to 9 p.m. (Eastern Time), Monday through Friday, except holidays.  

 While Michigan Medicine does not have reason to believe the accounts were compromised for the purpose of obtaining patient information, as a precautionary measure, all affected patients have been advised to monitor their medical insurance statements for any potential evidence of fraudulent transactions. Information about potential identity theft is available from the Federal Trade Commission at www.identitytheft.gov/#/Warning-Signs-of-Identity-Theft.

About Michigan Medicine: At Michigan Medicine, we advance health to serve Michigan and the world. We pursue excellence every day in our five hospitals, 125 clinics and home care operations that handle more than 2.3 million outpatient visits a year, as well as educate the next generation of physicians, health professionals and scientists in our U-M Medical School.

Michigan Medicine includes the top ranked U-M Medical School and University of Michigan Health, which includes the C.S. Mott Children’s Hospital, Von Voigtlander Women’s Hospital, University Hospital, the Frankel Cardiovascular Center, University of Michigan Health-West  and the Rogel Cancer Center. The U-M Medical School is one of the nation's biomedical research powerhouses, with total research funding of more than $500 million.