The academic medical center of the University of Michigan, Michigan Medicine, suffered a data breach that impacted 56953 patients.
The security incident exposed the personal and health information of the patients. Michigan Medicine notified patients of the data breach.
The threat actors accessed the employee email accounts on May 23 and May 29. AIn response to the incident, the organization blocked the IP address used by the attackers, and forced a password reset on the impacted accounts.
The organization disabled the impacted accounts to prevent unauthorized access.
“During its investigation, Michigan Medicine did not find any evidence to suggest that the aim of the attack was to obtain patient health information, but data theft could not be ruled out. As a result, all the emails involved were presumed compromised and the contents were reviewed to determine if sensitive data about patients was potentially impacted.This analysis took place between June 10, 2024, and June 27, 2024.” reads the data breach notification published by the organization.
Michigan Medicine discovered that emails and attachments containing identifiable patient and insurance guarantor information were accessed in the data breach. The compromised data includes names, medical record numbers, addresses, dates of birth, diagnostic and treatment information, and health insurance details. The exposed emails were part of a job-related communications concerning payment and billing coordination for patients. The type of information exposed varies for each individual and depends on the specific email or attachment.
The company pointed out financial information such as credit card, debit card, or bank account numbers were not compromised in the incident. However, the organization is aware that the Social Security numbers of four patients were exposed in the hack, these patients received a separate notice.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Michigan Medicine)