Phishing email campaign could have exposed health information of about 5,500 patients
Michigan Medicine is notifying approximately 5,500 patients about a phishing email campaign that may have exposed some of their health information.
During the campaign, emails containing a malicious link were sent to over 3,200 Michigan Medicine employees. If the link was clicked, employees were directed to a webpage that looked like a legitimate site requesting the username and password for their email account.
In July 2019, three employees clicked into this email, resulting in the perpetrator gaining access to the employees’ email accounts. The accounts were then used to continue to send additional phishing emails. Michigan Medicine discovered the compromised accounts on July 9 and July 12.
As soon as Michigan Medicine learned that the email accounts were compromised, they were disabled so no further access could take place until the passwords were changed.
Additionally, the malicious emails were deleted from all employees’ email accounts, and any employees identified as having received the malicious email were subject to mandatory password resets.
Through the investigation of the incident, no evidence was uncovered to suggest that the aim of the attack was to obtain patient health information.
However, data theft could not be ruled out. As a result, all of the emails of the employees involved were presumed compromised and the contents of the email accounts were analyzed. Two of the three employees’ compromised email accounts included emails that contained identifiable patient information. These accounts were compromised on July 8 and 12.
The identifiable information in those emails included a combination of one or more of the following: names, medical record numbers, addresses, dates of birth, diagnostic and treatment information, and health insurance information. A small subset of the emails also included Social Security numbers.
“Patient privacy is extremely important to us, and we take this matter very seriously. Michigan Medicine took steps immediately to investigate this matter and is implementing additional safeguards to reduce risk to our patients and help prevent recurrence,” said Jeanne Strickland, Michigan Medicine chief compliance officer.
Notices were mailed to the affected patients or their personal representatives.
Those concerned about the breach that do not receive a letter may call toll-free 855-336-5900, Monday through Friday, from 8 a.m. to 5 p.m.
While Michigan Medicine does not have reason to believe the accounts were compromised for the purpose of obtaining patient information, as a precautionary measure, all affected patients have been advised to monitor their medical insurance statements for any potential evidence of fraudulent transactions. Additionally, complimentary credit monitoring and identity theft protection services have been offered to all patients whose health insurance information or Social Security number was involved.
In response to this event, Michigan Medicine is implementing additional technical safeguards to prevent similar future incidents. Additional training and education materials have also been implemented to increase employee awareness on the risks and proper handling of malicious emails.
About Michigan Medicine: At Michigan Medicine, we create the future of healthcare through the discovery of new knowledge for the benefit of patients and society; educate the next generation of physicians, health professionals and scientists; and serve the health needs of our citizens. We pursue excellence every day in our three hospitals, 125 clinics and home care operations that handle more than 2.3 million outpatient visits a year.
Michigan Medicine includes the top ranked U-M Medical School and the University of Michigan Health System, which includes the C.S. Mott Children’s Hospital, Von Voigtlander Women’s Hospital, University Hospital, the Frankel Cardiovascular Center and the Comprehensive Cancer Center. Michigan Medicine’s adult hospitals were ranked no. 11 in the nation by U.S. News and World Report in 2017 and C.S. Mott Children’s Hospital was the only children’s hospital in Michigan nationally ranked in all 10 pediatric specialties analyzed by U.S. News and World Report for 2017-18.The U-M Medical School is one of the nation's biomedical research powerhouses, with total research funding of more than $470 million.
Department of Communication at Michigan Medicine