Michigan Medicine, part of the University of Michigan Health System, has suffered a second significant cyberattack in less than four months, putting the personal health information of nearly 58,000 patients at risk. The breach was reported to have occurred on July 30, when, according to Michigan Medicine, an employee erroneously accepted a two-factor authentication request which allowed unauthorized access to the email account containing patient data, the Detroit Free Press reported.
While Social Security numbers and financial details like credit, debit cards, or bank account numbers were not included in the compromised information, diagnostic and treatment details, names and medical record numbers were part of the data potentially exposed. Rapid response to the incident included disabling the compromised account to prevent further access and initiating an investigation period from August 21-29 to determine the extent of the exposure, Audacy detailed.
The health system has taken steps to mitigate any future occurrences by tightening technical safeguards, reducing email retention times, modifying identity verification processes, and enhancing employee education on cybersecurity. "We are constantly working to minimize the threat of patient data being exposed, and when incidents like this occur, we immediately take steps to investigate," Jeanne Strickland, Michigan Medicine's chief compliance officer, expressed in a statement quoted by MLive. Measures are being reviewed and updated as cyberattacks grow more sophisticated, added Strickland, underscoring the high priority given to patient privacy.
News of this event comes on the heels of a previous incident in May, which affected the personal information of over 56,000 individuals at Michigan Medicine. The recent attack is part of a disturbing upward trend in healthcare-related cybersecurity incidents over the course of several years, as reported by the Detroit Free Press. Beginning today, Michigan Medicine began notifying those potentially affected by the breach, and a dedicated assistance line, 1-877-225-2078, has been made available for concerned patients, to monitor potential fraudulent activity on their medical insurance statements.
