PHI of University of Michigan Health Service and School of Dentistry Patients Exposed
The University of Michigan (UM) has recently announced it fell victim to a cyberattack in the summer that resulted in unauthorized access to the sensitive data of students, applicants, alumni, donors, employees, contractors, University Health Service and School of Dentistry patients, and research study participants.
UM detected suspicious activity within its computer network on August 23, 2023, and took immediate action to contain the incident and prevent further unauthorized access. Third-party cybersecurity experts were engaged to assist with the investigation and confirmed that an unauthorized third party had access to its network between August 23, 2023, and August 27, 2023.
A review was conducted to identify files that may have been accessed and the types of data involved. The exposed data varied from individual to individual and may have included the following:
- Students, applicants, alumni, donors, employees, and contractors: Name, Social Security number, driver’s license or other government-issued ID number, financial account or payment card number, and/or health information.
- Research study participants and University Health Service and School of Dentistry patients: Name, Social Security number, driver’s license or government-issued ID number, financial account/payment card number, or health insurance information, University Health Service and School of Dentistry clinical information such as medical record number or diagnosis or treatment or medication history, and/or information related to participation in certain research studies.
UM said it is working with third-party cybersecurity experts to harden its systems and better protect sensitive data. Notification letters were mailed to the affected individuals on October 23, 2023, who have been offered complimentary credit monitoring services. The incident has yet to appear on the HHS’ Office for Civil Rights website so it is currently unclear how many individuals have been affected.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Westat & Radius Global Solutions Confirm Scale of MOVEit Hacks
The Rockville, MD-based professional services provider, Westat, Inc., has recently reported a MOVEit Transfer data breach to the HHS’ Office for Civil Rights. The notification covers 50,065 individuals who had their PHI exposed, such as names, dates of birth, and Social Security numbers. The Clop hacking group exploited a zero-day vulnerability between May 28 and May 29, 2023, and exfiltrated human resources files. Westat mailed notification letters to affected individuals on July 21, 2023. Credit monitoring services have been offered to the affected individuals. Meadville Medical Center in Pennsylvania and Cape Fear Valley Health in Fayetteville, NC, were among the affected clients.
The Edina, MN-based accounts receivable, customer relations, and revenue cycle management solution provider, Radius Global Solutions, has notified the HHS that the PHI of 135,742 individuals was compromised when the Clop hackers exploited the MOVEit Transfer zero-day flaw. Radius learned that it was affected on June 1, 2023, and said the hackers stole files that contained names, dates of birth, Social Security numbers, treatment codes, treatment locations, and treatment payment histories. Complimentary identity monitoring and protection services have been offered to the affected individuals.
Radius filed two notices with the Maine Attorney General about the breach, the first on September 1, 2023, which said 632,204 individuals had been affected and a second notice was filed on September 15, 2023, stating 9,979 individuals had been affected.
