Ascension Michigan — the subsidiary of St. Louis-based Ascension Health that operates four hospitals in the state — suffered a data breach last year that exposed personal information of more than 27,000 patients.
The health system discovered on Nov. 30 last year that an unauthorized user accessed its electronic health record system between Oct. 15, 2015, and Sept. 8, 2021, and gained access to patients' names, birth dates, addresses, email addresses, phone numbers, health insurance information, dates of service as well as diagnosis and treatment data. Some Social Security numbers were also accessed, the health system said in a bulletin on its website.
Ascension terminated the user's access as part of its internal investigation, the bulletin read.
It is unclear when patients were notified about the data breach. Representatives from the system were not immediately available to comment.
Ascension Michigan said in the bulletin that it has notified all the patients affected and is offering free credit monitoring and identity theft protection services to the patients.
The system also turned over the investigation report to law enforcement.
It's unclear whether any of the compromised information was used against the patients.
"We recommend that individuals remain vigilant in responding to anyone that may know their medical information related to, or received at, an Ascension Michigan facility and report to us anyone attempting to contact them regarding medical services or indicating they are partnering with Ascension to offer services," the health system said in the bulletin.
Download Modern Healthcare’s app to stay informed when industry news breaks.
Ascension Michigan also established a call center for impacted patients at (855) 568-2066.
More than 550 U.S. hospitals reported data breaches in 2021, exposing the information of more than 40 million patients, according to data from the U.S. Health and Human Services' Office for Civil Rights.
The largest data breach last year was from health plan Florida Healthy Kids Corp., which experienced a breach that exposed the information of 3.5 million members. Florida's 20/20 Eye Care Network also reported a breach that impacted 3.3 million members.
Kroger Co. also reported a breach last year that exposed the data of 1.5 million customers as part of a breach of software service provider Accellion. About 1,500 Beaumont Health patients were impacted by the Accellion breach.
Earlier this month, Ann Arbor-based Michigan Medicine reported an employee's email was hacked on Dec. 23 last year via phishing emails that may have exposed the data of 2,920 patients.
This story first appeared in our sister publication, Crain's Detroit Business.