Cyber Incident Victim: Michigan Medicine
Date:
Jul 2019
Location:
United States of America
Summary
A phishing campaign targeting Michigan Medicine employees resulted in three staff members inadvertently compromising their email accounts by clicking malicious links, enabling unauthorized access. The attacker used these accounts to propagate further phishing emails before the institution disabled the compromised accounts, deleted malicious messages, and enforced password resets. Although the investigation found no evidence that patient data was the primary target, two affected accounts contained identifiable health information—including names, medical record numbers, addresses, dates of birth, treatment details, insurance information, and some Social Security numbers—potentially exposing approximately 5,500 patients. The organization notified impacted individuals, offered credit monitoring services, and enhanced technical safeguards and employee training to mitigate future risks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In July 2019, Michigan Medicine experienced a phishing campaign targeting employee email accounts. Malicious emails containing fraudulent login links were sent to over 3,200 staff members between July 8 and July 12. Three employees clicked these links, compromising their email credentials and enabling attackers to access their accounts. The compromised accounts were then used to distribute additional phishing emails internally. Michigan Medicine's security team detected unauthorized access to the first account on July 9 and identified two additional compromised accounts on July 12. Upon discovery, the organization immediately disabled affected accounts to prevent further unauthorized access and forced password resets for all employees who received the malicious messages. Forensic analysis determined the attackers primarily used the accounts to propagate more phishing attempts rather than targeting specific patient data.
The breach exposed protected health information of approximately 5,500 patients through emails in two of the three compromised accounts. Exposed data included patient names, medical record numbers, addresses, dates of birth, diagnostic details, treatment information, and health insurance details, with a limited number of Social Security numbers also compromised. Although investigators found no evidence that patient data was specifically targeted, Michigan Medicine began notifying affected individuals by mail in August 2019 and established a dedicated toll-free inquiry line. The organization offered complimentary credit monitoring and identity theft protection to patients whose Social Security numbers or insurance information was exposed, while advising all impacted individuals to monitor insurance statements for suspicious activity. In response to the incident, Michigan Medicine implemented enhanced technical safeguards against phishing attacks and expanded employee cybersecurity training programs to improve threat recognition and reporting capabilities.