Michigan Medicine, the academic medical center of the University of Michigan, has notified approximately 57,000 individuals that their personal and health information may have been compromised in a data breach.
The incident occurred as a result of threat actors gaining access to employee email accounts on May 23 and May 29. The compromised accounts were disabled as soon as the breach was discovered by Michigan Medicine.
Michigan Medicine stated that “During its investigation, Michigan Medicine did not find any evidence to suggest that the aim of the attack was to obtain patient health information, but data theft could not be ruled out.” As a precaution, Michigan Medicine reviewed all emails involved and presumed they were compromised to determine if they contained sensitive patient data. This analysis took place between June 10 and June 27.
Potentially exposed information included names, addresses, dates of birth, medical record numbers, diagnostic and treatment information, and health insurance information for both patients and insurance guarantors. No credit card, debit card, or bank account numbers were compromised in the Michigan Medicine Data Breach, however the Social Security numbers of four patients were exposed.
The emails contained job-related communications for payment and billing coordination for Michigan Medicine patients. The type of information varied for each patient depending on the specific email or attachment.
Immediate Actions Taken by Michigan Medicine
Once the breach was discovered, Michigan Medicine immediately blocked the attacker’s IP address and changed passwords to prevent further access. Additional security measures were also implemented, including improvements to employee email and password security. Staff training around social engineering and password hygiene was also increased.
Notices regarding the breach were mailed to affected patients and/or guarantors or their personal representatives starting on July 19.
As quoted by Michigan Medicine spokesperson Mary Masson, “The emails were job-related communications for payment and billing coordination for Michigan Medicine patients. The information involved for each specific patient varied, depending on the particular email or attachment.”
This incident highlights the importance of data security precautions for academic medical institutions storing sensitive patient information. Prompt identification and response to the breach aimed to limit the exposure of patients’ personal health data. Increased security awareness and training for employees will also help to prevent similar incidents going forward.
Impact of Michigan Medicine Data Breach Remains Unclear
While no evidence suggests the attackers specifically targeted patient health records, Michigan Medicine took precautions by reviewing all emails as potentially compromised. The long-term impacts of this incident on patients whose information may have been exposed are still unknown. Michigan Medicine continues working to secure employee accounts and safeguard protected data in its systems. Close monitoring of this situation will be needed to fully understand the consequences of this Michigan Medicine Data Breach.
