Michigan Medicine Data Breach May Have Exposed Personal Details of 57,000 Patients

• The University of Michigan Medicine announced being hit by a cyberattack in May.
• Unauthorized third parties infiltrated employee emails, potentially accessing patient data.
• Approximately 57,000 affected individuals are being notified, with exposed data including names, addresses, and dates of birth.

The University of Michigan's academic medical center in Ann Arbor suffered a data breach on May 23 and May 29 when threat actors gained access to three employee email accounts. The security incident may have impacted the personal and health information of patients, and Michigan Medicine is notifying 56,953 individuals.

The emails contained Michigan Medicine patient communications for payment and billing coordination, and some featured personally identifiable information on patients and/or insurance guarantors, but no credit card, debit card, or bank account numbers were exposed.

These include names, medical record numbers, addresses, dates of birth, diagnostic and treatment information, and/or health insurance information. 

The details involved for each specific patient vary, and four patients received separate notices because their Social Security Numbers were involved.

They started an investigation between June 10 and 27, 2024, reviewing the involved emails to determine if sensitive patient data was potentially impacted. The inquiry showed no signs that data theft was the cyberattack’s aim but affected patients have been advised to be cautious. 

Michigan Medicine said the compromised accounts were disabled as soon as the data breach was discovered and the staff will receive additional education on cybersecurity. The medical entity announced the cyberattack was not related to the recent CrowdStrike outages.

Michigan Medicine is comprised of the University of Michigan Medical School and the university's affiliated hospitals and healthcare centers.

Last month, a specialty radiology practice in Minnesota announced hackers breached its systems earlier this year, affecting nearly 512,000 individuals whose sensitive details were exposed. 

Recently, health tech services provider HealthEquity suffered a security breach after a partner's account with access to some of HealthEquity’s SharePoint data was compromised, allowing hackers to steal customers’ private health information.