Cyber Incident Victim: Michigan Medicine
Date:
Aug 2022
Location:
United States of America
Summary
A phishing attack compromised four employee email accounts at Michigan Medicine after staff were lured to a fraudulent webpage and tricked into providing login credentials, including accepting multifactor authentication prompts. The unauthorized access potentially exposed personal and health information of approximately 33,850 patients, including names, addresses, dates of birth, treatment details, medical record numbers, and insurance data. While no evidence indicated the attack specifically targeted patient information, data theft could not be ruled out. The organization promptly disabled affected accounts, conducted an investigation, and reinforced existing safeguards, noting the involved employees had completed prior phishing training but would face disciplinary actions per institutional policies.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In August 2022, Michigan Medicine experienced a phishing attack where cyber attackers targeted employees by luring them to a fraudulent webpage designed to harvest login credentials. Four employees inadvertently entered their credentials and accepted multifactor authentication prompts, granting attackers access to their email accounts. Upon discovering the breach, Michigan Medicine promptly disabled the compromised accounts to prevent further unauthorized access. An investigation determined that while there was no evidence the attackers specifically sought patient health information, the possibility of data theft could not be eliminated. The compromised email accounts contained sensitive patient data, including names, addresses, dates of birth, treatment details, medical record numbers, and health insurance information. The incident impacted 33,850 patients, who were notified of the breach in October 2022.
Michigan Medicine’s chief compliance officer, Jeanne Strickland, stated the organization took immediate steps to investigate the incident and implement additional safeguards to protect patient privacy and prevent recurrence. The organization emphasized its existing robust phishing training programs, though the four employees involved had completed this training prior to the incident. Michigan Medicine confirmed these employees would face disciplinary action under internal policies and procedures. While no misuse of patient data was identified, the breach notification highlighted the potential exposure of sensitive information and reaffirmed the institution’s commitment to addressing security risks. The response included reinforcing existing protocols and enhancing measures to secure email systems against future phishing attempts.