Michigan Medicine published an article last month notifying patients about a possible health information breach. An estimated 5,500 patients were put at risk due to an email phishing campaign.
The incident occurred when an email containing a malicious link was sent to 3,200 employees in July. Three employees clicked on the link.
“Employees were directed to a webpage that looked like a legitimate site requesting the username and password for their email account,” the Michigan Medicine statement said.
Of the three employees who clicked on the link, two had emails that contained confidential patient information.
“The identifiable information in those emails included a combination of one or more of the following: names, medical record numbers, addresses, dates of birth, diagnostic and treatment information, and health insurance information," the statement read. “A small subset of the emails also included Social Security numbers.”
In response to the scam, Michigan Medicine deleted the compromised emails, reset passwords and notified potentially affected patients.
LSA senior Katherine Sanchez was surprised to hear about this news.
“I thought it was interesting; I’ve heard big companies work really hard to teach employees what’s phishing and what’s not,” Sanchez said. “I never thought it would happen at a hospital.”
Rackham student Ben Stoler studies computer science and explained as a result he has been exposed to many cyber threats.
“It’s a pretty common occurrence, honestly,” Stoler said. “Phishing attacks are the most common way that companies get information taken from them. They’re the employers’ worst enemy. It’s the easiest way in.”
These attacks are just one variety of cyber crime. Due to the rise in cyber crime, many people are becoming more aware of the importance of private data.
Unfortunately, this occurrence has not been the only recent breach in security at Michigan Medicine. Last year, an employee’s laptop was stolen, putting 870 patients at risk.
For many students at the University of Michigan, Michigan Medicine is the most accessible health care system, and these events can be alarming.
In response to the scam, LSA senior Colby Kelln expressed concern regarding her own health security.
“I feel that entities that we give our personal information to should make an extreme effort to keep it private,” Kelln said.
Kelln and Sanchez believe the University needs to do a better job at informing and training students on cyber threats, and protecting all personal data, not just health.
“I use Google, I use Facebook,” Kelln said. “I’m giving them my data, and it’s kind of scary that I don’t know how to be more secure and more private. It’d be nice to know the extent to which my data is being shared and how to make my data more private, and also how to protect myself against phishing or any kind of security breach.”
Engineering alum Kevin DiMeglio — now a Lead Technician at GE Aviation — explained his company often faces security issues with embedded systems.
“The best way to prevent or stop phishing is really by education,” DiMeglio said. “People need to be informed to know how to identify suspect emails.”
On the University’s Safe Computing website, the administration lists alerts and notices for scams and phishing. The website also provides tips on ways to be safe online.
Ultimately, Stoler believes the Michigan Medicine health breach could have been prevented through two-factor authentication.
“(This incident) shows the importance of two-factor authentication and universal second-factor,” Stoler said. “Anytime someone tries to log-in with your credentials, even if they have the same username and password, you get prompted on the Duo push notification.”
In addition, he stressed the importance of having different passwords, as people often use the same password for their bank account, medical account or email account. He suggests changing frequently and using a password manager.
“You’re only secure via the weakest website,” Stoler remarks.
DiMeglio offered a solution the university could put in place that he’s used in the past.
“The university itself could place filters that look for emails that came from an external source and flag it,” DiMeglio said. “When someone receives something claiming to be an official UofM message, if all external emails get flagged in the subject line saying it’s from an external source, then users would know.”