PHI Exposed in Phishing Attacks on Michigan Medicine and Virginia Gay Hospital

5,466 patients of Michigan Medicine are being notified that some of their protected health information has been exposed in a recent phishing attack.

In July, Michigan Medicine employees were targeted in large scale phishing campaign. 3,200 Michigan Medicine employees received phishing emails containing a hyperlink to a legitimate looking web page that requested the user’s email login credentials.

Three employees responded to the emails and disclosed their credentials. Those accounts were subjected to unauthorized access and were used to send further phishing emails. Michigan Medicine detected suspicious activity in the email accounts on July 8, 9 and 12, 2019 and performed a password reset to prevent any further unauthorized access. As a precaution, the passwords were also resent on the email accounts of all employees who received one of the phishing emails.

Two of the accounts were discovered to contain patient information. In addition to a patient’s name, one or more of the following may have been compromised: Address, date of birth, medical record number, diagnostic information, treatment information, health insurance information and, for a small number of patients, Social Security number.

No evidence was uncovered to suggest patient information was viewed or copied; however, since data theft cannot be ruled out, Michigan Medicine has assumed that patient information has been compromised.

Affected patients have been offered complimentary credit monitoring services and have been advised to monitor their accounts and statements from insurers for signs of fraudulent activity.

Michigan Medicine is implementing additional technical safeguards to enhance email security and will be retraining employees to improve security awareness.

PHI of Patients Exposed in Virginia Gay Hospital Phishing Attack

Virginia Gay Hospital in Vinton, OH, is notifying certain patients that some of their protected health information may have been accessed by an authorized individual who gained access the email account of an employee on June 18, 2019.

The hospital called in a computer forensics company which determined that the compromised email account contained information such as names, dates of birth, Social Security numbers, and medical information of individuals who received outpatient services at the hospital. No evidence was uncovered to suggest patient information was viewed or copied.

The breach report submitted to the HHS’ Office for Civil Rights indicates 5,030 individuals have been impacted.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.