• 5
  • Hospitals
  • 5
  • MI
  • 5
  • University of Michigan, on behalf of certain HIPAA-covered functions of the University that operate as a HIPAA hybrid entity

University of Michigan, on behalf of certain HIPAA-covered functions of the University that operate as a HIPAA hybrid entity

Your Personal Info Could Be

Exposed Online After

This Hospital Breach

Breach Description

The University of Michigan (U-M) experienced a breach involving the potential compromise of Protected Health Information (PHI) due to a phishing attack. Between August 15 and August 23, 2022, four email accounts at Michigan Medicine, which is part of the U-M health system, were compromised. The attackers lured employees to a webpage that captured their login information, including responses to multi-factor authentication prompts, allowing unauthorized access to the accounts[7].

The forensic investigation did not find evidence of data theft, but it could not be ruled out. As a precaution, Michigan Medicine assumed all information in the accounts was compromised. The compromised accounts contained job-related communications for patient coordination and care, and the information varied from patient to patient. It may have included names, addresses, dates of birth, diagnostic and treatment information, and health insurance information[7][9].

Michigan Medicine responded by implementing additional technical safeguards to its email system and infrastructure to prevent future incidents. They also conducted a thorough review of the email accounts to determine the extent of the data potentially impacted, which was completed on October 17, 2022. Affected patients were notified starting October 19, 2022[7][9].

Michigan Medicine is part of the University of Michigan, which operates as a “hybrid” covered entity under HIPAA. This means that certain units within the university, including Michigan Medicine, are regulated by HIPAA. These units must comply with HIPAA Privacy and Security Rules to protect the privacy and security of health information[1][5].

The university has policies and procedures in place to manage the selection, development, implementation, and maintenance of security measures to protect electronic PHI and to manage the conduct of the covered entity’s or business associate’s workforce in relation to the protection of that information[1]. The Michigan Medicine Corporate Compliance Office oversees U-M’s compliance with HIPAA, and the university is committed to protecting PHI in accordance with all applicable state and federal laws[3].

In the event of a breach or inappropriate access or disclosure of PHI, an investigation is typically conducted to determine if a breach has occurred, and affected individuals are notified. The UMHS Compliance Office is responsible for receiving and investigating complaints alleging violations of HIPAA’s Privacy and Security Rules[3].

For more information on the university’s HIPAA policies and procedures, individuals can refer to the U-M Health System’s policy manual[1], the guidance on uses and disclosures of PHI[2], and the FAQ section on the Office of the General Counsel’s website[3].

Citations:

  1. https://www.med.umich.edu/Vendors/policies/01-04-300.pdf
  2. https://az.research.umich.edu/medschool/guidance/uses-disclosures-protected-health-information-phi
  3. https://ogc.umich.edu/frequently-asked-questions/hipaa/
  4. https://wmich.edu/policies/hipaa-breach
  5. https://az.research.umich.edu/medschool/glossary/covered-entity
  6. https://it.umich.edu/information-technology-policies/general-policies/C-03
  7. https://www.hipaajournal.com/phi-of-almost-34000-patients-potentially-compromised-in-michigan-medicine-phishing-attack/
  8. https://www.uofmhealth.org/patient-visitor-guide/protecting-your-privacy-hipaa
  9. https://www.michiganmedicine.org/news-release/michigan-medicine-notifies-patients-health-information-breach
  10. https://mari.umich.edu/files/documents/hipaa_iha_uccf_7a.pdf
  11. https://az.research.umich.edu/medschool/guidance/hipaa
  12. https://www.med.umich.edu/compliance/about/index.html
  13. https://wmich.edu/legal/hipaa/hipaahybrid
  14. https://hr.umich.edu/benefits-wellness/health-well-being/health-plans/hipaa-compliance-other-important-federal-notices
  15. https://www.hipaajournal.com/phi-of-university-of-michigan-health-service-and-school-of-dentistry-patients-exposed/
  16. https://www.cmich.edu/docs/default-source/president’s-division/general-counsel/hipaa/09222021-hipaa-privacy-practicesdf000af6-b85e-4d43-8f00-be2a4185d967.pdf?sfvrsn=b7d9aed6_3
  17. https://az.research.umich.edu/medschool/policies/statement-practice-hipaa-and-u-m-study-team-members-outside-michigan-medicine
  18. https://orsp.umich.edu/sites/default/files/resource-download/basics_of_data_use_agreements.pdf
  19. https://safecomputing.umich.edu/protect-the-u/safely-use-sensitive-data/using-its-hipaa-services
  20. https://www.cmich.edu/docs/default-source/president’s-division/general-counsel/administrative-policy-docs/12/p12002.pdf
Breach Submission Date Oct 23, 2023
Converted Entity Name University of Michigan, on behalf of certain HIPAA-covered functions of the University that operate as a HIPAA hybrid entity
Converted Entity Type Healthcare Provider
State MI
Individuals Affected 61,033
Breach Type Hacking/IT Incident

Breach Information Location Network Server

Business Associate Present Yes