Michigan Medicine, the academic medical center of the University of Michigan, is notifying roughly 57,000 individuals that their personal and health information might have been compromised in a data breach.
The incident, Michigan Medicine says, resulted from threat actors gaining access to employee email accounts on May 23 and May 29. The compromised accounts were disabled as soon as the data breach was discovered.
“During its investigation, Michigan Medicine did not find any evidence to suggest that the aim of the attack was to obtain patient health information, but data theft could not be ruled out,” the academic medical center said in an incident notice.
“As a result, all the emails involved were presumed compromised and the contents were reviewed to determine if sensitive data about patients was potentially impacted. This analysis took place between June 10, 2024, and June 27, 2024,” it added.
Potentially exposed information contained in some emails and attachments includes names, addresses, dates of birth, medical record numbers, diagnostic and treatment information, and health insurance information. Both patients and insurance guarantors were affected.
No credit card, debit card, or bank account numbers were compromised in the incident, but the Social Security numbers of four patients were exposed in the hack.
“The emails were job-related communications for payment and billing coordination for Michigan Medicine patients. The information involved for each specific patient varied, depending on the particular email or attachment,” Michigan Medicine said.
The academic center blocked the attacker’s IP address and changed passwords to prevent further access. Michigan Medicine also took steps to improve the security of employee emails and passwords and plans to train employees on social engineering and password hygiene.
“Notices were mailed to the affected patients and/or guarantors or their personal representatives starting July 19, 2024,” Michigan Medicine said.
Related: MediSecure Data Breach Impacts 12.9 Million Individuals
Related: Japan’s Space Agency Hit by Multiple Cyberattacks, No Sensitive Data Taken
Related: City of Cleveland Scrambling to Restore Systems Following Cyberattack