University of Michigan Health (Michigan Medicine) has recently announced that the protected health information of approximately 33,850 patients has potentially been compromised in a phishing attack. Suspicious activity was detected within its email environment and steps were immediately taken to secure the accounts to prevent further unauthorized access.
Michigan Medicine said it was targeted in a phishing campaign between August 15 and August 23, 2022, and four email accounts were compromised. Michigan Medicine said in its breach notice that employee email accounts were protected with multi-factor authentication at the time of the attack. Four employees responded to the phishing emails, visited a malicious website, disclosed their Michigan Medicine login information, and responded to the multi-factor authentication prompts, which allowed their accounts to be accessed.
The forensic investigation found no evidence of data theft and it appeared that the accounts were not compromised in order to obtain patient information; however, Michigan Medicine has assumed that all information in the accounts has been compromised. The review of the email accounts was completed on October 17, 2022, and notification letters have now been mailed.
The compromised accounts contained job-related communications for the coordination and care of patients. The information in the emails varied from patient to patient and may have included names, along with one or more of the following types of information: address, date of birth, diagnostic and treatment information, and health insurance information. Michigan Medicine said it has implemented additional technical safeguards to its email system and the infrastructure that supports it to prevent further incidents of this nature.
This is the second email account breach to be reported by Michigan Medicine this year. In late February, Michigan Medicine announced that a single email account containing the PHI of 2,920 patients had been compromised. Michigan Medicine was also targeted in a phishing campaign in 2019, which saw 3,200 of its employees receive phishing emails. In that attack, three employees responded, resulting in the exposure of the PHI of 5,466 patients.
Ascension St. Vincent’s Coastal Cardiology Brunswick Suffers Ransomware Attack
Ascension St. Vincent’s Coastal Cardiology Brunswick in Georgia has started notifying 71,227 patients about a security breach that affected its legacy systems, including its legacy electronic medical record system. The incident was detected on August 15, 2022, and all systems were immediately secured to prevent further unauthorized access and; however, it was not possible to prevent the encryption of certain files on those systems. The investigation confirmed the attack was confined to its legacy systems. No Ascension networks or systems were affected, nor was the electronic medical system that is currently in use. The legacy Coastal Cardiology network was primarily used to retain patient data to meet regulatory requirements and was not used for current business operations.
Ransomware attacks often involve data theft prior to the encryption of files; however, the forensic investigation found no evidence to suggest any information was removed from those systems. The breach notice suggests the ransom was not paid, as the data could not be decrypted. As such, it was not possible to determine the exact types of information that had been encrypted. Ascension said the systems would have contained demographic and health information related to visits at Coastal Cardiology prior to October 5, 2021. That information would have included names, addresses, email addresses, phone numbers, insurance information, Social Security numbers, clinical information, and billing and insurance information.
Complimentary credit and identity theft protection services have been offered to affected individuals. Ascension said it has conducted a security risk assessment, realigned staff responsibilities, removed access rights to the legacy system, and is providing further training to its associates.
Delta Dental of Washington Members Affected by Mailing Vendor Hacking Incident
Delta Dental of Washington has announced that the protected health information of 6,361 members of its dental benefits plans has potentially been compromised in a cyberattack on its mail and printing vendor, Kaye-Smith. The attack occurred in June 2022 and resulted in the exposure of information such as names, addresses, group numbers, and Delta Dental Member ID numbers. Delta Dental of Washington was one of several organizations affected by the data breach.
Kaye-Smith is notifying affected individuals on behalf of Delta Dental of Washington and has offered complimentary credit monitoring services for 12 months.
The post PHI of Almost 34,000 Patients Potentially Compromised in Michigan Medicine Phishing Attack appeared first on HIPAA Journal.