ANN ARBOR, Mich. — Michigan Medicine is notifying approximately 2,920 patients about an employee email account that was compromised which may have exposed some of their health information.
On December 23, 2021, an employee’s Michigan Medicine email account was compromised, resulting in a cyber attacker gaining access to and using the account to send phishing emails. The employee did not know about the compromise until suspicious activity occurred on January 6, 2022. That same day, the employee immediately reported the situation to our Information Technology Department, and the email account was disabled.
No evidence was uncovered during our investigation to suggest that the aim of the attack was to obtain patient health information, but data theft could not be ruled out. As a result, all of the emails involved were presumed compromised. The contents were reviewed to determine if sensitive data about any patients was potentially impacted. This analysis took place between January 31 through February 15, 2022.
Some emails and attachments were found to contain identifiable patient information, such as: names, medical record numbers, addresses, dates of birth, diagnostic and treatment information, and/or health insurance information. The emails were job-related communications for coordination and care of patients, and information related to a specific patient varied, depending on a particular email or attachment. However, no social security numbers, credit card, debit card or other financial account information were discovered.
As soon as Michigan Medicine learned that the email account was compromised, the account was disabled so no further access could take place and immediate password changes were made. Additional technical safeguards on our email system and the infrastructure that supports it were also put in place to prevent similar incidents from happening.
Robust training and education materials are used to increase employee awareness of the risks of cyberattacks, as well as how to identify and report them. We are reviewing these materials to make further improvements.
“Patient privacy is extremely important to us, and we take this matter very seriously. Michigan Medicine took steps immediately to investigate this matter and is implementing additional safeguards to reduce risk to our patients and help prevent recurrence,” said Jeanne Strickland, Michigan Medicine chief compliance officer.
Notices were mailed to the affected patients or their personal representatives starting March 3, 2022. Those concerned about the breach who do not receive a letter may call the toll-free Michigan Medicine Assistance Line: (833) 430-2163. They should refer to Engagement # B028649 when speaking with an agent. Calls will be answered Monday through Friday, 9 am to 11 pm and Saturday – Sunday, 11 am to 8 pm (Eastern Time.)
While Michigan Medicine does not have reason to believe the accounts were compromised for the purpose of obtaining patient information, as a precautionary measure, all affected patients have been advised to monitor their medical insurance statements for any potential evidence of fraudulent transactions. Information about potential identity theft is available from the Federal Trade Commission at www.identitytheft.gov/#/Warning-Signs-of-Identity-Theft.
About Michigan Medicine: At Michigan Medicine, we advance health to serve Michigan and the world. We pursue excellence every day in our five hospitals, 125 clinics and home care operations that handle more than 2.3 million outpatient visits a year, as well as educate the next generation of physicians, health professionals and scientists in our U-M Medical School.
Michigan Medicine includes the top ranked U-M Medical School and University of Michigan Health, which includes the C.S. Mott Children’s Hospital, Von Voigtlander Women’s Hospital, University Hospital, the Frankel Cardiovascular Center, Metro Health and the Rogel Cancer Center. The U-M Medical School is one of the nation's biomedical research powerhouses, with total research funding of more than $500 million.
More information is available at www.uofmhealth.org