Phishing Attacks on Michigan Medicine and Virginia Gay Hospital Potentially Exposed PHI

Michigan Medicine notified about 5,500 of its patients regarding the exposure of some of their protected health information (PHI) because of a phishing attack recently.

In July, Michigan Medicine was hit by a phishing attack. About 3,200 employees got phishing emails that have a hyperlink going to a legit-looking web site, which asked for the email login credentials of the user.

Three employees clicked the hyperlink in the emails and exposed their login credentials. Their email accounts were accessed by unauthorized persons who sent other phishing emails using the account. Michigan Medicine noticed on July 8, 9 and 12, 2019 the suspicious activity in the accounts and reset the account password to block further unauthorized access. The company also reset the passwords of all employees’ email accounts that got phishing emails as a safety precaution.

Two of the compromised accounts were found to have patient data. Besides a patient’s name, at least one of the following could have been exposed: Address, birth date, medical record number, diagnostic data, treatment details, health insurance data, and Social Security number of some patients.

There was no evidence found that indicate the viewing or copying of patient data; nevertheless, the possibility of data theft could not be made certain. Hence, Michigan Medicine assumed that patient data was compromised. The company offered the affected patients free credit monitoring services and instructed them to keep track of their accounts and insurance statements for potentially fraudulent transactions.

Michigan Medicine is employing further technical security measures to improve email security. Employees will receive further training on security awareness.

Phishing Attack on Virginia Gay Hospital

Virginia Gay Hospital located in Vinton, OH, is informing some patients about the unauthorized access of some of their PHI because someone accessed one of its employee’s email account on June 18, 2019.

The hospital hired a computer forensics firm to investigate and found that the compromised email account included the following information: names, birth dates, Social Security numbers, and medical details of people who got outpatient services from the hospital. There was no evidence found that suggest the viewing or copying of patient data.

The hospital is notifying breach affected patients now, though the exact number of persons whose PHI was exposed is still unknown.