Cyber Incident Victim: Munson Healthcare
Date:
Jul 2019
Location:
United States of America
Summary
A Michigan healthcare provider experienced a data breach where unauthorized actors accessed patient information by compromising employee email accounts over an extended period. The incident exposed sensitive personal and health data including financial details, Social Security numbers, driver's licenses, birth dates, insurance information, treatments, and diagnoses, though the specific number of affected individuals remains undisclosed. Detection occurred months after initial access, with the organization emphasizing its cybersecurity training programs and 24/7 monitoring partnerships while confirming no evidence of data misuse. Impacted patients received notifications to implement protective measures following the security compromise.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The Munson Healthcare data breach involved unauthorized access to patient information over nearly three months in 2019, with the intrusion remaining undetected for approximately six months. Attackers compromised at least two employee email accounts between July 31 and October 22, 2019, gaining access to protected health information stored within those accounts. Exposed data included financial account numbers, driver's license numbers, Social Security numbers, dates of birth, insurance details, treatment records, and diagnostic information. The healthcare provider discovered the breach on January 16, 2020, indicating a significant detection delay from the initial compromise. Munson Healthcare operates across Northern Michigan through nine hospitals covering 30 counties, serving a geographic area comparable to Vermont and Delaware combined, though the organization did not disclose exact patient impact numbers. A spokesperson confirmed the breach did not affect all patients and that data exposure varied by individual, with notifications being sent to confirmed victims.
Munson Healthcare's investigation found no evidence that attackers acquired or misused the accessed data, though the extended detection timeline created potential risks for affected individuals. The organization emphasized patient privacy as a priority while detailing existing security measures including regular employee cybersecurity training and a 24/7 staffed response team operating in collaboration with other Michigan hospitals. Information Security Director Lucas Otten publicly reaffirmed the healthcare system's commitment to addressing cybersecurity risks through these established protocols. Response efforts focused on breach containment following detection, though specific technical remediation steps beyond account security weren't disclosed. The incident exposed vulnerabilities in email account monitoring despite the organization's cybersecurity partnerships and training programs, impacting an unspecified subset of patients across Munson's 7,500-employee network.