University of Michigan Medicine (Michigan Medicine) sent notification letters to 56,953 persons concerning the compromise of some of their protected health information (PHI). According to recent news, patient information was saved in three employee email accounts which an unauthorized third party accessed from May 23 to May 29, 2024.
Upon discovery of suspicious email activity, the impacted accounts were promptly secured by blocking the IP address of the attacker and resetting account passwords to avoid continuing unauthorized access. The university launched an investigation to find out the nature and extent of the breach which affirmed that the attack only affected three email accounts of employees.
Michigan Medicine analyzed the impacted email accounts from June 10, 2024 to June 27, 2024, and reported that sensitive information was included in the accounts. The email accounts were utilized to communicate information associated with payment and billing. Michigan Medicine didn’t find any proof that indicated the motive of the attack was to get patient data; nevertheless, data theft cannot be excluded.
The types of data compromised differed from one person to another and consisted of patient and insurance guarantor data like names, addresses, birth dates, diagnostic and treatment data, medical record numbers, and medical insurance details. Michigan Medicine began sending notification letters to the impacted persons on July 19, 2024. There seemed to be no offer of free credit monitoring services, but Michigan Medicine has instructed all impacted persons to be wary of identity theft and fraud and suggests checking health insurance reports for suspicious transactions.
Michigan Medicine was impacted by an outage recently because of the erroneous CrowdStrike update. However, this outage is not related to the data breach. This is Michigan Medicine’s second email breach in the last two years. The first was on October 25, 2022, when Michigan Medicine informed the HHS’ Office for Civil Rights concerning a breach that affected the PHI of 33,857 individuals. There were four email accounts exposed from August 15 to August 23, 2022, because of a phishing attack.