According to an Oct. 27 news article, posted on Ann Arbor-based Michigan Medicine's website, the organization is notifying approximately 33,850 patients regarding employee email accounts that were compromised which may have exposed some of their health information.
The article states that “From August 15 through August 23, 2022, a cyber attacker targeted Michigan Medicine employees with an email “phishing” scam. In this scam, the attacker lured employees to a webpage designed to get them to enter their Michigan Medicine login information. Four Michigan Medicine employees entered their login information and then inappropriately accepted multifactor authentication prompts which allowed the cyber attacker to access their Michigan Medicine e-mail accounts. Michigan Medicine learned the email accounts were compromised on August 23, 2022. The accounts were disabled as soon as possible so no further access could take place and password changes were made.”
Further, “No evidence was uncovered during the investigation to suggest that the aim of the attack was to obtain patient health information from the compromised email accounts, but data theft could not be ruled out. As a result, the email accounts and their contents were presumed compromised. Thus, all the emails and any attachments to them required a detailed, thorough review to determine if sensitive data about one or more patients was potentially impacted. This review was completed on October 17, 2022. Affected patients will be notified by letter. Notices were mailed to the affected patients or their personal representatives starting October 19, 2022 and will be completed on October 26, 2022.”
The article adds that some emails and attachments contained identifiable patient information including name; medical record number; address; date of birth; diagnostic and treatment information; and/or health insurance information. The nature of the emails “were job-related communications for coordination and care of patients, and information related to a specific patient varied, depending on a particular email or attachment.” The emails did not contain credit card, debit card, or bank account numbers. One patient was contacted with a separate notice due to their Social Security Number being potentially compromised.
When Michigan Medicine found out that the email accounts were compromised, the accounts were disabled. Additionally, password changes were made immediately, according to the release. The organization also implemented additional technical safeguards in its email system and the supporting infrastructure to prevent similar incidents from occurring.
“Robust training and education materials are used to increase employee awareness of the risks of cyberattacks,” the release says. “This includes sending regular, simulated phishing emails (imitations) that Michigan Medicine initiates and manages so employees are trained on what to look for, and how to identify and report them. The employees involved in this incident had previously been involved in these training exercises, and they are subject to disciplinary action under Michigan Medicine policies and procedures. Michigan Medicine is very sorry and deeply regrets this incident has occurred. Michigan Medicine also is assessing the ability to place additional technical safeguards on our email system and the infrastructure that supports it to prevent similar incidents from happening.”
Jeanne Strickland, Michigan Medicine chief compliance officer was quoted in the article saying that “Patient privacy is extremely important to us, and we take this matter very seriously. Michigan Medicine took steps immediately to investigate this matter and is implementing additional safeguards to reduce risk to our patients and help prevent recurrence.”