Michigan Medicine announced Thursday that the health data of approximately 33,850 patients was exposed through compromised employee emails during a cyber attack in August. The attack lasted from Aug. 15 to Aug. 23 at which point Michigan Medicine discovered the breach.
The cyber attack took place through a phishing scam, during which a cyber attacker prompted users to fill out their Michigan Medicine login information in a fake webpage. According to the Michigan Medicine press release, four Michigan Medicine employees entered their information into this faulty webpage, allowing the attackers to access the Michigan Medicine database.
Jeanne Strickland, Michigan Medicine chief compliance officer, emphasized that Michigan Medicine understands the gravity of the incident and will work to prevent the situation in the future.
“Patient privacy is extremely important to us, and we take this matter very seriously,” Strickland said. “Michigan Medicine took steps immediately to investigate this matter and is implementing additional safeguards to reduce risk to our patients and help prevent recurrence.”
The breached emails contained identifiable patient information, including name, medical record number, address, date of birth, diagnostic and treatment information and health insurance information. No information included credit card, debit card or bank account numbers. One patient received notice since their Social Security Number was involved. According to the release, the specific information varied from patient to patient, but all emails were job-related communications necessary for patient care.
The release states that once Michigan Medicine learned about the breach, all subject accounts were disabled and passwords were changed. Any patients who were affected will be notified by letter, and notices were mailed to affected patients starting Oct. 19 and completed on Oct. 26.
According to the release, Michigan Medicine trains employees on risks involving cyberattacks, including sending simulated phishing emails as a way to educate staff on how to recognize and report phishing.
The employees involved in the breach had all participated in similar training exercises and are currently subject to disciplinary action based on Michigan Medicine policies and procedures. The release did not indicate what disciplinary actions will be taking place.
Though the release indicates that Michigan Medicine does not believe the accounts were breached with the intention of obtaining patient information, Michigan Medicine is encouraging all clients to monitor their accounts and their medical insurance statements.
Patients concerned about the breach can reach out to Michigan Medicine at the assistance line between 9 a.m. to 9 p.m. from Monday through Friday, with the exception of holidays.
All students, staff and faculty can report suspected phishing to reportphish@umich.edu.
Daily Staff Reporter Matthew Shanbom can be reached at shanbom@umich.edu.