Ascension Michigan (single affiliated covered entity) ACE

Your Personal Info Could Be

Exposed Online After

This Hospital Breach

Breach Description

Ascension Michigan Data Breach

Ascension Michigan experienced a data breach where an unauthorized individual accessed patient information in its electronic health record system between October 15, 2015, and September 8, 2021. The breach was discovered following suspicious activity in the electronic health record, leading to an investigation that concluded on November 30, 2021. The unauthorized access was immediately terminated once discovered[1].

Information Exposed

The data breach may have exposed a range of patient information, including:

  • Full names

  • Dates of birth

  • Addresses
  • Email addresses
  • Phone numbers
  • Health insurance information
  • Health insurance identification numbers and carriers
  • Dates of service
  • Diagnosis and treatment-related information
  • Social Security numbers (in some cases)

Not all individuals had all types of information affected. Some patients were notified that their information was further disclosed to third parties[1].

Response and Measures Taken

Ascension Michigan has taken steps to enhance the protection of patient information, including reviewing internal controls and improving processes intended to safeguard patient data. The health system is offering free credit and identity theft protection-monitoring services to affected patients. It has also reported the breach to law enforcement and is cooperating with any investigation. A call center has been set up to address questions from those affected[1].

Number of Patients Affected

The breach affected the personal and medical information of more than 27,000 patients[5]. Ascension Michigan is part of Ascension Health, which operates numerous healthcare facilities across the state[4].

Legal and Compliance Aspects

Ascension Michigan is required by law to protect the privacy and security of medical information and to notify individuals if a breach of unsecured protected health information occurs[2]. The U.S. Department of Health and Human Services Office for Civil Rights is investigating the data breach[6].

Recommendations for Affected Individuals

Affected individuals are advised to remain vigilant and respond cautiously to any communication seeking medical information. They are also encouraged to take advantage of the offered credit and identity theft protection services[1].

Contact Information

For further information or to file a complaint about privacy practices, individuals can contact the Ascension Michigan HIPAA Privacy Officer by telephone at (586) 753-1171, by sending a letter to 28000 Dequindre Road, Warren, Michigan 48092, or by email at compliance.michigan@ascension.org[2].

Citations:

  1. https://www.freep.com/story/news/local/michigan/2022/03/04/ascension-michigan-data-breach-patients-personal-info/9381284002/
  2. https://healthcare.ascension.org/-/media/project/ascension/healthcare/markets/michigan/documents/ascension-mi-notice-of-privacy-practices.pdf
  3. https://www.scmagazine.com/analysis/ransomware-attack-on-ascension-st-vincents-legacy-emr-spurs-breach-notice
  4. https://www.jdsupra.com/legalnews/data-breach-alert-ascension-michigan-7166329/
  5. https://www.crainsdetroit.com/health-care/ascension-michigan-data-breach-exposes-personal-medical-information-more-27000-patients
  6. https://levinlaw.com/2022/03/18/ascension-michigan-data-breach-lawsuits
  7. https://www.hipaajournal.com/february-2022-healthcare-data-breach-report/
  8. https://wacotrib.com/news/local/crime-courts/ascension-providence-warns-cyberattack-on-contractor-may-have-compromised-patient-info/article_ed316c88-99e9-11ee-9d13-2360d7b7a642.html
  9. https://healthcare.ascension.org/-/media/healthcare/npp/michigan/mi_ascension-michigan_english.pdf
  10. https://www.justice.gov/opa/pr/ascension-michigan-pay-28-million-resolve-false-claims-act-allegations
  11. https://www.dallaswhistleblowerlawyer.com/blog/ascension-michigan-pays-28-million-to-resolve-whistleblower-claim/
  12. https://healthcare.ascension.org/specialty-care/neurology/stroke-treatment/why-ascension/miasc-mi-stroke-care
  13. https://www.beckershospitalreview.com/cybersecurity/ascension-michigan-data-breach-exposed-27k-patient-records.html
Breach Submission Date Feb 22, 2022
Converted Entity Name Ascension Michigan (single affiliated covered entity) ACE
Converted Entity Type Healthcare Provider
State MI
Individuals Affected 27,177
Breach Type Unauthorized Access/Disclosure

Breach Information Location Electronic Medical Record

Business Associate Present Yes