Michigan Medicine Notifies Patients of Health Information Breach

ANN ARBOR, Mich. — Michigan Medicine is notifying approximately 33,850 patients about employee email accounts that were compromised which may have exposed some of their health information.

From Aug. 15-23, a cyber attacker targeted Michigan Medicine employees with an email “phishing” scam, officials said. In this scam, they explained, the attacker lured employees to a webpage designed to get them to enter their Michigan Medicine login information. Four Michigan Medicine employees entered their login information and then inappropriately accepted multifactor authentication prompts which allowed the cyber attacker to access their Michigan Medicine e-mail accounts.

Michigan Medicine learned the email accounts were compromised on Aug. 23. The accounts were disabled as soon as possible so no further access could take place and password changes were made.

“Patient privacy is extremely important to us, and we take this matter very seriously. Michigan Medicine took steps immediately to investigate this matter and is implementing additional safeguards to reduce risk to our patients and help prevent recurrence,” said Jeanne Strickland, Michigan Medicine chief compliance officer.

Michigan Medicine officials, in a press release, said no evidence was uncovered during the investigation to suggest that the aim of the attack was to obtain patient health information from the compromised email accounts, but data theft could not be ruled out.

As a result, they said, the email accounts and their contents were presumed compromised.  Thus, all the emails and any attachments to them required a detailed, thorough review to determine if sensitive data about one or more patients was potentially impacted.

The review was completed Oct. 17. Affected patients will be notified by letter. Notices were mailed to the affected patients or their personal representatives Oct. 19-26. 

“Some emails and attachments were found to contain identifiable patient information such as name; medical record number; address; date of birth; diagnostic and treatment information; and/or health insurance information,” the release said. “The emails were job-related communications for coordination and care of patients, and information related to a specific patient varied, depending on a particular email or attachment.”