Lone Michigan Medicine employee responsible for breach that impacted 58K patients
A phishing scam at University of Michigan Medicine in Ann Arbor resulted in personal information from 57,891 patients being leaked to hackers.
According to a statement from the academic hospital, a single employee is responsible for the data breach on its network, after they responded to an unauthorized prompt to provide multifactor authentication information to a criminal third party.
“As soon as Michigan Medicine learned that the email accounts were compromised, the cyberattacker’s IP address was blocked, and immediate password changes were made so no further access could take place,” the hospital added in a statement.
The accident caused hackers to gain access to email servers and presumably all of their contents, including file attachments. Potentially exposed data included patient names, medical record numbers, and details on diagnoses and treatments.
Financial information, such as credit card and social security numbers, were not exposed, Michigan Medicine said.
The employee responsible for the breach was subjected to disciplinary action, the hospital noted. However, there is no evidence of malice. It’s also not entirely clear what information the unknown hackers were after—and it may not have been patient data at all, Michigan Medicine added.
The hospital did not provide specifics on how long its email system was compromised.
In response, Michigan Medicine said it deployed “more stringent technical safeguards” on its email system in an effort to “prevent similar incidents from happening.”
The incident happened on July 30. The investigation was completed on Aug. 29, and now the hospital is notifying impacted individuals.
Chad is an award-winning writer and editor with over 15 years of experience working in media. He has a decade-long professional background in healthcare, working as a writer and in public relations.