Michigan Medicine latest health care system to be hit by cyberattack

• Email accounts of three Michigan Medicine employees were hacked in May
• An investigation found that emails in those accounts contained personal information for nearly 57K patients
• Patients were notified beginning Friday — the same day that the health system and others wrangled unrelated computer glitches caused by a software update

Patient information for nearly 57,000 people may have been shared during the latest health care-related cyberattack in Michigan.

Hackers accessed emails of three employees at Michigan Medicine, part of the University of Michigan, May 23 and May 29, and those accounts were “were disabled as soon as possible so no further access could take place,” according to a statement Monday.

Patients began to be notified Friday, but the attack was unrelated to “technical issues” the hospital system reported that same day from the global CrowdStrike outages.The CrowdStrike problems were linked to a software update by the Texas-based global cybersecurity firm. In addition to delaying flights and interrupting some business operations, the glitch took down some phone lines and snarled some health care systems.

But the cyberattack on Michigan Medicine, where emails were hacked twice in 2022, was intentional. In the most recent attack, email accounts were accessed remotely, according to Mary Masson, spokesperson for the health system.

Related:

• Global technology outage impacts flights, health care systems in Michigan
• Cyberattack on Ascension Michigan, other sites, began with ‘honest mistake’
• Ransomware update: Ascension can’t fill prescriptions at its Michigan pharmacies
• Cyberattack forces Ascension hospitals in Michigan to reroute patients

It was not clear whether investigators were able to identify the source of the attack. Masson said it was not ransomware, like the May attack that took down the electronic medical records system at Ascension health, a national chain that operates 15 Michigan hospitals and 40 senior living facilities in Michigan. That attack hobbled the system for weeks.

While it did not appear that whoever attacked Michigan Medicine was trying to obtain patient health information, “data theft could not be ruled out,” according to the statement.

All emails “were presumed compromised,” according to the statement.

During a review that took more than two weeks in June to complete, reviewers identified emails that contained medical record numbers, addresses, dates of birth, diagnostic and treatment information, or health insurance information. In four cases, a patient’s Social Security number was involved.

No credit card, debit card or bank account numbers were compromised, according to the health system.

It took some time for the hospital system to alert patients as the investigation took place, Masson said.

“While we were able to stop the threat actor very quickly, it takes longer to analyze the data involved … Following a full data analysis, we finalized the review and determined that identifiable protected health information pertaining to 56,953 patients was involved,” she told Bridge Michigan.

Michigan Medicine includes three hospitals, as well as about 30 health centers and 120 outpatient clinics.

Anyone concerned about the breach who does not receive a letter may call the toll-free Michigan Medicine Assistance Line: 1-888-409-7484. Calls will be answered Monday through Friday, 9 a.m. to 9 p.m. EDT.