The data of thousands of patients is believed to have been exposed following a data breach at Michigan Medicine.
The data breach started with an employee email account being compromised on Dec. 23. with the attacker using the account to obtain information and send phishing emails. However, the employee did not notice their account being taken over until Jan. 6, when they reported the information to Michigan Medicine’s technology department.
Michigan Medicine claims that they have no evidence that the attack is aimed at obtaining patient health information, but data theft cannot be ruled out. At the very least, all emails in the account are presumed as having been compromised.
Details in the emails included names, medical record numbers, addresses, dates of birth, diagnostic and treatment information, and / or health insurance information. The emails were job-related communication for the coordination and care of patients.
Michigan Medicine said they had placed “additional technical safeguards” on their email system and infrastructure that supports it to prevent similar incidents from occurring again.
“Patient privacy is extremely important to us, and we take this matter very seriously,” Jeanne Strickland, chief compliance officer of Michigan Medicine, said in a statement.
That may be a stretch as it’s not the first time recently where Michigan Medicine has had patient files compromised. The Detroit Free Press reports that a newly hired employee accessed patient records without a business need between Dec. 1 and Jan. 25. 269 patients were compromised in that case.
“The use of a compromised legitimate email account is a gold mine for cybercriminals,” Erich Kron, security awareness advocate at security awareness training company KnowBe4 Inc., told SiliconANGLE. “Once in an email account, the bad actors will often use the accounts to spread malware, issue fraudulent invoices to customers, demand funds transfers or steal information.”
Kron added that “attacks from legitimate accounts are very effective because these bad actors will often continue previous email conversations with other people in earlier email chains, many email protections focus on email from external sources, and there is an automatic sense of trust when you receive an email from within your own organization. ”