McKenzie Health System

Your Personal Info Could Be

Exposed Online After

This Hospital Breach

Breach Description

In March 2022, McKenzie Health System in Sandusky, Michigan, experienced a significant cybersecurity incident. An unauthorized party accessed the health system’s IT systems between March 10 and March 11, 2022, and removed some files. This breach was first identified by McKenzie Health System on March 11, 2022, prompting immediate steps to secure the systems, launch an investigation with the help of a third-party forensic investigator, and notify law enforcement[1][2].

The investigation revealed that the files accessed and removed contained sensitive patient information, including names, contact information, demographic information, dates of birth, Social Security numbers, driver’s license numbers, diagnosis and treatment information, prescription information, medical record numbers, provider names, dates of service, and health insurance information[1][2]. As a result, McKenzie Health System began notifying the affected patients, which numbered over 25,000[7], and offered complimentary credit monitoring and identity protection services through Experian for those whose Social Security numbers were involved[1][2].

In response to the incident, McKenzie Health System has implemented additional safeguards and technical security measures to enhance the protection and monitoring of its systems[1][2]. The health system also established a dedicated call center to address questions related to the incident[1].

The breach had significant financial implications for McKenzie Health System, with out-of-pocket costs exceeding a quarter of a million dollars. These costs included legal fees, forensic work, notifications to patients and employees, monitoring software, file exploration, and credit monitoring costs for those potentially affected by the breach[3]. Despite having cybersecurity insurance, which helped mitigate some of the financial impact, the incident underscores the challenges and costs associated with recovering from such attacks, especially for small, rural health organizations[3][4].

This incident is part of a broader trend of increasing cybersecurity threats targeting healthcare organizations, highlighting the importance of robust cybersecurity measures and preparedness to mitigate the risks and impacts of such attacks[3][6].

Citations:

  1. https://www.mckenziehealth.org/notice-of-data-security-incident/
  2. https://www.beckershospitalreview.com/cybersecurity/michigan-health-system-cybersecurity-incident-takes-down-it-system-exposes-phi.html
  3. https://www.ruralhealthinfo.org/rural-monitor/cybersecurity-attacks
  4. https://www.ruralhealthinfo.org/toolkits/emergency-preparedness/case-studies/equipment-infrastructure-failures/mckenzie-health-system
  5. https://www.dataguidance.com/news/usa-mckenzie-health-system-notifies-ocr-data-security
  6. https://www.govinfosecurity.com/avoslocker-claims-data-theft-from-another-healthcare-entity-a-19083
  7. https://www.hipaajournal.com/cyberattacks-reported-by-mckenzie-health-system-omnicell/
  8. https://www.mckenziehealth.org/privacy/
  9. https://sanilaccountynews.mihomepaper.com/articles/mckenzie-health-system-addresses-data-security-breach/
  10. https://sanilaccountynews.mihomepaper.com/articles/mckenzie-notifies-patients-of-stolen-information/
  11. https://classlawdc.com/2022/05/17/mckenzie-health-system-data-breach-investigation/
  12. https://healthitsecurity.com/news/refuah-health-center-suffers-cybersecurity-incident-260k-impacted
  13. https://www.defensorum.com/mckenzie-health-system-omnicell-report-cyberattacks/
Breach Submission Date May 10, 2022
Converted Entity Name McKenzie Health System
Converted Entity Type Healthcare Provider
State MI
Individuals Affected 25,318
Breach Type Hacking/IT Incident

Breach Information Location Network Server

Business Associate Present Yes