U-M cyberattack compromised Michigan Medicine patient data of 56,000 people

The personal information of more than 56,000 people — including names, medical record numbers, addresses, dates of birth, diagnostic and treatment information, and health insurance details — was compromised in a cyberattack at Michigan Medicine, the academic medical center of the University of Michigan.

The details may have been accessed when employee emails and attachments were hacked between May 23-May 29, said Mary Masson, a spokesperson for Michigan Medicine, in a news release Monday.

"The emails were job-related communications for payment and billing coordination for Michigan Medicine patients," Masson said, noting that the incident is not related to last week's CrowdStrike software glitch that crippled computer networks globally, affecting banks and airlines, hospitals and more. "The information involved for each specific patient varied, depending on the particular email or attachment.

"During its investigation, Michigan Medicine did not find any evidence to suggest that the aim of the attack was to obtain patient health information, but data theft could not be ruled out. As a result, all the emails involved were presumed compromised and the contents were reviewed to determine if sensitive data about patients was potentially impacted."

Michigan Medicine blocked the IP address of the cyberattacker and changed passwords to block access. No credit card, debit card or bank account numbers were compromised, Masson said. Four patients were sent separate notices disclosing that their Social Security numbers may have been accessed during the cyberattack.

More: Ascension nurse: Ransomware attack makes caring for hospital patients 'so, so dangerous'

“We currently have multiple safeguards in place to reduce risk to our patients and prevent recurrence but will examine this incident thoroughly to determine if new or additional measures are needed," said Jeanne Strickland, Michigan Medicine's chief compliance officer, in a statement.

The health system is strengthening its efforts to prevent social engineering among employees, Masson said, noting that workers are getting additional education and training on password security.

Patients are urged to monitor their medical insurance statements for any evidence of fraudulent transactions.

The first notices were mailed starting July 19 to those whose data was involved in the cyberattack.

More: Global Microsoft outage causes delays at Detroit Metro Airport, businesses, banks

The number of cyberattacks in health care are growing.

From 2018-22, there was a 93% rise in large cybersecurity breaches reported to the U.S. Department of Health and Human Services Office for Civil Rights and a 278% increase in large breaches involving ransomware, the agency reported .

These breaches can cause disruptions to the care of patients, delay medical procedures and put patient safety at risk.

Contact Kristen Shamus: kshamus@freepress.com. Subscribe to the Free Press.

This article originally appeared on Detroit Free Press: U-M cyberattack compromised Michigan Medicine patient data of 56,000 people