DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Michigan Medicine notifies patients of health information breach

Posted on August 16, 2019 by Dissent

From Michigan Medicine, Aug. 16 –

ANN ARBOR, Mich. — Michigan Medicine is notifying approximately 5,500 patients about a phishing email campaign that may have exposed some of their health information.

During the campaign, emails containing a malicious link were sent to over 3,200 Michigan Medicine employees. If the link was clicked, employees were directed to a webpage that looked like a legitimate site requesting the username and password for their email account.

In July 2019, three employees clicked into this email, resulting in the perpetrator gaining access to the employees’ email accounts. The accounts were then used to continue to send additional phishing emails. Michigan Medicine discovered the compromised accounts on July 9 and July 12.

As soon as Michigan Medicine learned that the email accounts were compromised, they were disabled so no further access could take place until the passwords were changed.

Additionally, the malicious emails were deleted from all employees’ email accounts, and any employees identified as having received the malicious email were subject to mandatory password resets.

Through the investigation of the incident, no evidence was uncovered to suggest that the aim of the attack was to obtain patient health information.

However, data theft could not be ruled out. As a result, all of the emails of the employees involved were presumed compromised and the contents of the email accounts were analyzed. Two of the three employees’ compromised email accounts included emails that contained identifiable patient information. These accounts were compromised on July 8 and 12.

The identifiable information in those emails included a combination of one or more of the following: names, medical record numbers, addresses, dates of birth, diagnostic and treatment information, and health insurance information. A small subset of the emails also included Social Security numbers.

“Patient privacy is extremely important to us, and we take this matter very seriously. Michigan Medicine took steps immediately to investigate this matter and is implementing additional safeguards to reduce risk to our patients and help prevent recurrence,” said Jeanne Strickland, Michigan Medicine chief compliance officer.

Notices were mailed to the affected patients or their personal representatives.

Those concerned about the breach that do not receive a letter may call toll-free 855-336-5900, Monday through Friday, from 8 a.m. to 5 p.m.

While Michigan Medicine does not have reason to believe the accounts were compromised for the purpose of obtaining patient information, as a precautionary measure, all affected patients have been advised to monitor their medical insurance statements for any potential evidence of fraudulent transactions. Additionally, complimentary credit monitoring and identity theft protection services have been offered to all patients whose health insurance information or Social Security number was involved.

In response to this event, Michigan Medicine is implementing additional technical safeguards to prevent similar future incidents. Additional training and education materials have also been implemented to increase employee awareness on the risks and proper handling of malicious emails.

Source: Michigan Medicine

Related posts:

  • Michigan Medicine notifies patients of health information data breach
  • UW Medicine notifying 974,000 patients whose information was exposed online in December
  • Victims of W-2 phishing scams (2017 list)
  • Washington University School of Medicine notifies patients of HIPAA breach
Category: Health DataPhishingU.S.

Post navigation

← IA: Virginia Gay Hospital notifies patients after discovering compromised employee email account
CA: Malware attack targets San Dieguito Union High School District →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • ShinyHunters and team members arrested in France (1)
  • Texas Enacts Liability Shield From Punitive Damages for Certain Small Businesses That Adopt Cybersecurity Programs
  • Dublin ETB fined €125,000 for data protection breaches
  • From $5,000 to $800,000: Days Apart, OCR Security Settlements Show Puzzling Math
  • Liberty Township in Ohio has recovered its network after a ransomware attack
  • Marquette County Medical Care Facility discloses data breach
  • Industry Letter – June 23, 2025: Impact to Financial Sector of Ongoing Global Conflicts
  • MNGI Digestive Health settles class action lawsuit stemming from BlackCat attack
  • Four REvil ransomware members released after time served on carding charges
  • Why Dumping Sensitive Data on Network Shares is a Liability

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • How Internet of Things devices affect your privacy – even when they’re not yours
  • Sky Views Personal Data as a Potential Weapon in IPTV Piracy War
  • Florida Used a Nationwide Surveillance Camera Network 250 Times To Aid in Immigration Arrests
  • Federal Court Strikes Down HIPAA Reproductive Health Care Privacy Rule
  • The Markup caught 4 more states sharing personal health data with Big Tech
  • Privacy in the Big Sky State: Montana’s Consumer Privacy Law Gets Amended
  • UK Passes Data Use and Access Regulation Bill

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.