For the second time this year, Michigan Medicine has suffered a data breach.
The Ann Arbor-based health system has contacted 33,850 patients in the past week after a cyberattack in August gained access to employee email accounts and potentially exposed health information of patients, Michigan Medicine said in a press release.
Four Michigan Medicine employees fell for the phishing scam between Aug. 15-23 that lured them to a web page asking for login information and fake multifactor authentication prompts. The health system became aware of the cyberattack on Aug. 23 and disabled the email accounts.
Michigan Medicine completed a security review of the incident on Oct. 17 and uncovered no evidence the attack was designed to access patient information but it could not rule out data theft that may have included patient information.
Some emails contained patient information, such as names, medical record numbers, addresses, birthdates, treatment information and health insurance data, the system said in a press release.
One patient's Social Security number was involved.
Michigan Medicine said it completed notification of patients Wednesday
"Patient privacy is extremely important to us, and we take this matter very seriously," Jeanne Strickland, Michigan Medicine's chief compliance officer, said in a press release. "Michigan Medicine took steps immediately to investigate this matter and is implementing additional safeguards to reduce risk to our patients and help prevent recurrence."
Cyberattacks have been a growing concern for businesses for a decade and an increasing problem for the healthcare industry that deals with so much sensitive information.
In March, Michigan Medicine notified nearly 3,000 patients of a data breach of their health information from a similar phishing scam.
Also in March, Ascension Michigan — the subsidiary of St. Louis-based Ascension Health that operates four hospitals in the state — announced a data breach that exposed personal information of more than 27,000 patients.
More than 550 U.S. hospitals reported data breaches in 2021, exposing the information of more than 40 million patients, according to data from the U.S. Health and Human Services' Office for Civil Rights.
The largest data breach last year was from health plan Florida Healthy Kids Corp., which experienced a breach that exposed the information of 3.5 million members. Florida's 20/20 Eye Care Network also reported a breach that impacted 3.3 million members.
Kroger Co. also reported a breach last year that exposed the data of 1.5 million customers as part of a breach of software service provider Accellion. About 1,500 Beaumont Health, now Corewell Health, patients were impacted by the Accellion breach.
This story first appeared in our sister publication, Crain's Detroit Business.