Michigan Medicine data breach exposes personal and health information of 57,000 individuals

Michigan Medicine, the academic medical center of the University of Michigan, is notifying approximately 57,000 individuals that their personal and health information may have been compromised in a recent data breach.

The breach occurred when threat actors accessed employee email accounts on May 23 and May 29. Upon discovering the breach, Michigan Medicine immediately disabled the compromised accounts. In an incident notice, the academic center stated that while no evidence suggests the attack targeted patient health information, data theft could not be ruled out. Consequently, all affected emails were presumed compromised and reviewed to determine if sensitive data was impacted. This analysis occurred from June 10 to June 27, 2024.

The potentially exposed information includes names, addresses, dates of birth, medical record numbers, diagnostic and treatment information, and health insurance details. Both patients and insurance guarantors were affected. Although no credit card, debit card, or bank account numbers were compromised, the Social Security numbers of four patients were exposed.

The emails involved job-related communications for payment and billing coordination for Michigan Medicine patients. The specific information varied depending on the email or attachment. In response to the breach, Michigan Medicine blocked the attacker’s IP address and changed passwords to prevent further access. The center also enhanced the security of employee emails and passwords and plans to train employees on social engineering and password hygiene. The affected individuals or their representatives were mailed notices starting July 19, 2024.