ANN ARBOR, Mich. — Michigan Medicine is notifying approximately 56,953  individuals about employee email accounts that were compromised, potentially exposing some patient health information.

Three Michigan Medicine employee email accounts were compromised due to a cyberattack. The events occurred on May 23 and May 29, 2024. The accounts were disabled as soon as possible so no further access could take place.

This incident was not related to the recent CrowdStrike outages.

During its investigation, Michigan Medicine did not find any evidence to suggest that the aim of the attack was to obtain patient health information, but data theft could not be ruled out. As a result, all the emails involved were presumed compromised and the contents were reviewed to determine if sensitive data about patients was potentially impacted.This analysis took place between June 10, 2024, and June 27, 2024.

Some emails and attachments were found to contain identifiable patient and/or insurance guarantor information, such as: names, medical record numbers, addresses, dates of birth, diagnostic and treatment information, and/or health insurance information. The emails were job-related communications for payment and billing coordination for Michigan Medicine patients. The information involved for each specific patient varied, depending on the particular email or attachment. 

As soon as Michigan Medicine learned that the email accounts were compromised, the cyber attacker’s IP address was blocked, and immediate password changes were made so no further access could take place. The email accounts did not contain any credit card, debit card, or bank account numbers. Four patients received separate notice because their Social Security Numbers were involved.

Michigan Medicine is taking swift action to ward off future cyberattacks that target employees. Michigan Medicine has strengthened existing processes regarding the security of employee passwords and email accounts. Additionally, all Michigan Medicine staff will receive additional education on these topics, such as how social engineering attacks work, the need to select strong passwords, and the need to use different passwords for multiple sites. We are also strengthening existing processes to ward off social engineering attacks targeting Michigan Medicine employees.

“Michigan Medicine immediately took steps to investigate this matter, once alerted to the possibility of patient data being exposed. We constantly monitor for cyberattacks such as these because patient privacy is so extremely important to us,” said Jeanne Strickland, Michigan Medicine Chief Compliance Officer.

“We currently have multiple safeguards in place to reduce risk to our patients and prevent recurrence but will examine this incident thoroughly to determine if new or additional measures are needed.”

Notices were mailed to the affected patients and/or guarantors or their personal representatives starting July 19, 2024. Those concerned about the breach who do not receive a letter may call the toll-free Michigan Medicine Assistance Line: 1-888-409-7484. Calls will be answered Monday through Friday, 9 am to 9 pm (Eastern Time).

While Michigan Medicine does not have reason to believe the accounts were compromised for the purpose of obtaining patient information, as a precautionary measure, all affected patients have been advised to monitor their medical insurance statements for any potential evidence of fraudulent transactions. Information about potential identity theft is available from the Federal Trade Commission at www.identitytheft.gov/#/Warning-Signs-of-Identity-Theft