Michigan Medicine Notifies Patients of Data Information Breach

March 3, 2022

Michigan Medicine is notifying approximately 2,920 patients about an employee email account that was compromised which may have exposed some of their health information. Learn more.

February 21, 2022

The Michigan Medicine notified 269 patients to inform them about an incident that involved their health information. 

Michigan Medicine proactively monitors access to patients’ electronic medical records for potential inappropriate accesses. From these proactive efforts, on 1/27/2022 Michigan Medicine found that a newly-hired employee accessed patient medical records without a business need. All inappropriate accesses by this individual occurred between 12/1/2021 and 1/25/2022. The individual is part of and has close ties with the local Korean community and accessed records of patients that he knows from this local network. Patients involved in this HIPAA breach were notified via U.S. mail. The individual’s access to our systems was cut off immediately on 1/27/2022, and he was terminated thereafter.

Although the information was inappropriately accessed, based on our investigation, audit details and interviews, it appears that the individual’s actions were solely out of curiosity. There is no indication that information was further used or disclosed for other reasons. The individual viewed demographic and clinical information such as diagnosis, treatment, and test results. We believe the risk of identity or medical theft is low because no credit card, debit card, bank account, or Social Security Numbers were involved.

We always recommend that all patients monitor their health insurance statements for any transactions related to care or services that have not actually been received.  In our patient notice letters, we included ways to protect against identity theft. See www.usa.gov/identity-theft for more information.

We take our responsibility to safeguard personal information very seriously. We continue to educate our entire workforce on the importance of following our patient privacy policies and reinforce that these types of actions are not acceptable and require disciplinary measures, up to and including termination.

If someone is concerned that their information may have been involved with this incident, and they do not receive a letter by March 14, 2022, they can call the Michigan Medicine Corporate Compliance Office at 734-615-4400 or email us at Compliance-Privacy@med.umich.edu.