25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Michigan Medicine Experiences Another Email Account Hacking Incident

Posted By on Sep 27, 2024

The data breaches at Michigan Medicine keep on coming, with the latest incident involving unauthorized access to an employee’s email account on July 30, 2024. The email account was reviewed and found to contain the protected health information of 57,891 individuals. A similarly sized email data breach was announced by Michigan Medicine in July, with that incident involving unauthorized access to three employee email accounts in May 2024. Two years ago, another email breach occurred as a result of a response to a phishing email that exposed the protected health information of 33,000 patients.

The Ann Arbor, MI-based healthcare provider said one of its employees accepted an unsolicited multifactor authentication prompt, which allowed an unauthorized individual to access the email account and its contents. The account was disabled as soon as the unauthorized access was detected, and an investigation was launched to determine the nature and scope of the unauthorized activity.

The investigation confirmed that patient data was present in emails and attachments that were used for communications related to the treatment and coordination of care for Michigan Medicine patients. The account was reviewed between August 21, 2024, and August 29, 2024, and was found to contain names, medical record numbers, and diagnostic and treatment information. The types of data involved varied from individual to individual.

Michigan Medicine said that in addition to disabling the email account, the attacker’s IP address was blocked, and password changes were made. To reduce the risk of further email account breaches, Michigan Medicine said it is implementing more stringent technical safeguards for its email system and the infrastructure that supports it, including modifying its identity verification processes, decreasing the length of time emails are retained, and increasing education on the use of multifactor authentication.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The affected individuals were notified on September 26, 2024. Michigan Medicine said it does not believe that the aim of the attack was to access patient data but has advised the affected patients to monitor their medical insurance statements for potential evidence of fraudulent transactions.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Prevent HIPAA Email Violations

Avoid the common misunderstandings and implementation errors relating to HIPAA email.

Learn more