Phishing Attack Potentially Compromises PHI of 34,000 Patients


University of Michigan Health has sent breach notification letters to around 33,850 patients whose data was potentially compromised during a phishing attack. Though there is not yet any evidence that the data has been sold or misused, University of Michigan Health has stated in its breach notification letter that affected patients should assume that all of their data has been accessed by unauthorized individuals.

 The attack was conducted between August 15 and August 23, 2022, during which four employees responded to the phishing emails. The emails directed them to a malicious website, where they inputted their Michigan Health login details. The attackers then used these credentials to attempt access to the email accounts of these employees. All four employees responded to the multi-factor authentication prompts that were triggered by the attacker’s login attempts, enabling the attackers to access the email accounts and the PHI records of nearly 34,000 patients.

Though University of Michigan Health has stated that the purpose of the attack does not appear to have been to gain access to PHI, the compromised emails included information such as patient birthdays, addresses, diagnoses, treatment plans, and health insurance information. Michigan Health has also stated that it is investigating additional technical safeguards to its email systems to protect against future attacks, and that it “deeply regrets” the incident.

Jeanne Strickland, the University of Michigan Health’s Chief Compliance Officer, has stated:

“Patient privacy is extremely important to us, and we take this matter very seriously. Michigan Medicine took steps immediately to investigate this matter and is implementing additional safeguards to reduce risk to our patients and help prevent recurrence.”

Unfortunately, this is the second time this year that University of Michigan Health has reported an email breach. The previous breach, in February, saw the PHI of 2,920 patients accessed by unauthorized individuals during a phishing attack.