Lone Michigan Medicine employee responsible for breach that impacted 58K patients

A phishing scam at University of Michigan Medicine in Ann Arbor resulted in personal information from 57,891 patients being leaked to hackers. 

According to a statement from the academic hospital, a single employee is responsible for the data breach on its network, after they responded to an unauthorized prompt to provide multifactor authentication information to a criminal third party. 

“As soon as Michigan Medicine learned that the email accounts were compromised, the cyberattacker’s IP address was blocked, and immediate password changes were made so no further access could take place,” the hospital added in a statement

The accident caused hackers to gain access to email servers and presumably all of their contents, including file attachments. Potentially exposed data included patient names, medical record numbers, and details on diagnoses and treatments. 

Financial information, such as credit card and social security numbers, were not exposed, Michigan Medicine said. 

The employee responsible for the breach was subjected to disciplinary action, the hospital noted. However, there is no evidence of malice. It’s also not entirely clear what information the unknown hackers were after—and it may not have been patient data at all, Michigan Medicine added. 

The hospital did not provide specifics on how long its email system was compromised. 

In response, Michigan Medicine said it deployed “more stringent technical safeguards” on its email system in an effort to “prevent similar incidents from happening.”

The incident happened on July 30. The investigation was completed on Aug. 29, and now the hospital is notifying impacted individuals. 

Chad Van Alstin Health Imaging Health Exec

Chad is an award-winning writer and editor with over 15 years of experience working in media. He has a decade-long professional background in healthcare, working as a writer and in public relations.

Around the web

Merck sent Hansoh Pharma, a Chinese biopharmaceutical company, an upfront payment of $112 million to license a new investigational GLP-1 receptor agonist. There could be many more payments to come if certain milestones are met. 

When regulating AI-equipped medical devices, the FDA might take a page from the Department of Transportation’s playbook for overseeing AI-equipped vehicles. These run the gamut from assisting human drivers to fully taking the wheel. 

Kit Crancer, RBMA board member, speaks with Radiology Business about key legislative developments on the Hill that will affect the specialty.