University of Michigan Health (Michigan Medicine) has lately announced the potential compromise of the protected health information (PHI) of around 33,850 patients due to a phishing attack. Michigan Medicine detected suspicious activity within its email account and took steps immediately to secure the accounts to stop further unauthorized access.
Michigan Medicine stated the phishing campaign happened between August 15 and August 23, 2022, resulting in the compromise of four email accounts. According to the breach notice of Michigan Medicine, employee email accounts were secured by multi-factor authentication when the attack happened. Four employees answered the phishing emails, clicked on a malicious site, revealed their Michigan Medicine login details, and replied to the multi-factor authentication prompts, therefore, their accounts were accessed.
The investigation of forensic experts uncovered no proof of data theft and it appeared there was no breach of accounts in order to acquire patient information; nevertheless, Michigan Medicine has supposed that all data in the accounts were exposed. The evaluation of the email accounts was done on October 17, 2022. Michigan Medicine already sent the breach notification letters.
The compromised accounts had job-related communications for patient coordination and care. The data in the email messages were different from one patient to another and possibly included names, together with one or more of the following types of information: date of birth, address, diagnostic and treatment details, and medical insurance data. Michigan Medicine mentioned it has put in place additional technical safeguards to its email system and the infrastructure to avert more identical incidents.
This is Michigan Medicine’s second email account breach report submitted this year. In late February, Michigan Medicine reported that a single email account with the PHI of 2,920 individuals had been breached. Michigan Medicine was likewise targeted in a phishing campaign in 2019, that resulted in the receipt of phishing emails by 3,200 employees. During that attack, three employees replied, leading to the exposure of the PHI of 5,466 patients.
Ransomware Attack on Ascension St. Vincent’s Coastal Cardiology Brunswick
Ascension St. Vincent’s Coastal Cardiology Brunswick based in Georgia has begun informing 71,227 patients concerning a security breach that impacted its old systems, which include its old electronic health record system. The healthcare provider discovered the incident on August 15, 2022, and immediately secured all systems to stop continuing unauthorized access; nevertheless, the encryption of selected files on those systems cannot be prevented. The investigation affirmed the attack was limited to its old systems and did not impact any Ascension networks or systems or its electronic medical system. The old Coastal Cardiology system was mainly employed to keep patient information to satisfy regulatory prerequisites and wasn’t employed for present business operations.
Ransomware attacks frequently entail data theft before files encryption; nevertheless, the forensic investigation did not find any proof that suggests the removal of any information from those systems. Based on the breach notice, there was no ransom paid, since the data can’t be decrypted. Therefore, it cannot be determined which types of data were encrypted. Ascension mentioned the systems could have comprised demographic and medical data associated with appointments at Coastal Cardiology before October 5, 2021. That data could have contained names, telephone numbers, addresses, email addresses, insurance data, clinical details, billing and insurance details, and Social Security numbers.
The affected individuals received free credit and identity theft protection services. Ascension stated it has performed a security risk analysis, realigned employee’s duties, eliminated access rights to the heritage system, and is giving additional training to its colleagues.