University of Michigan, on behalf of certain HIPAA-covered functions of the University that operate as a HIPAA hybrid entity
Your Personal Info Could Be
Exposed Online After
This Hospital Breach
Breach Description
The University of Michigan (U-M) experienced a breach involving the potential compromise of Protected Health Information (PHI) due to a phishing attack. Between August 15 and August 23, 2022, four email accounts at Michigan Medicine, which is part of the U-M health system, were compromised. The attackers lured employees to a webpage that captured their login information, including responses to multi-factor authentication prompts, allowing unauthorized access to the accounts[7].
The forensic investigation did not find evidence of data theft, but it could not be ruled out. As a precaution, Michigan Medicine assumed all information in the accounts was compromised. The compromised accounts contained job-related communications for patient coordination and care, and the information varied from patient to patient. It may have included names, addresses, dates of birth, diagnostic and treatment information, and health insurance information[7][9].
Michigan Medicine responded by implementing additional technical safeguards to its email system and infrastructure to prevent future incidents. They also conducted a thorough review of the email accounts to determine the extent of the data potentially impacted, which was completed on October 17, 2022. Affected patients were notified starting October 19, 2022[7][9].
Michigan Medicine is part of the University of Michigan, which operates as a “hybrid” covered entity under HIPAA. This means that certain units within the university, including Michigan Medicine, are regulated by HIPAA. These units must comply with HIPAA Privacy and Security Rules to protect the privacy and security of health information[1][5].
The university has policies and procedures in place to manage the selection, development, implementation, and maintenance of security measures to protect electronic PHI and to manage the conduct of the covered entity’s or business associate’s workforce in relation to the protection of that information[1]. The Michigan Medicine Corporate Compliance Office oversees U-M’s compliance with HIPAA, and the university is committed to protecting PHI in accordance with all applicable state and federal laws[3].
In the event of a breach or inappropriate access or disclosure of PHI, an investigation is typically conducted to determine if a breach has occurred, and affected individuals are notified. The UMHS Compliance Office is responsible for receiving and investigating complaints alleging violations of HIPAA’s Privacy and Security Rules[3].
For more information on the university’s HIPAA policies and procedures, individuals can refer to the U-M Health System’s policy manual[1], the guidance on uses and disclosures of PHI[2], and the FAQ section on the Office of the General Counsel’s website[3].
Citations:
- https://www.med.umich.edu/Vendors/policies/01-04-300.pdf
- https://az.research.umich.edu/medschool/guidance/uses-disclosures-protected-health-information-phi
- https://ogc.umich.edu/frequently-asked-questions/hipaa/
- https://wmich.edu/policies/hipaa-breach
- https://az.research.umich.edu/medschool/glossary/covered-entity
- https://it.umich.edu/information-technology-policies/general-policies/C-03
- https://www.hipaajournal.com/phi-of-almost-34000-patients-potentially-compromised-in-michigan-medicine-phishing-attack/
- https://www.uofmhealth.org/patient-visitor-guide/protecting-your-privacy-hipaa
- https://www.michiganmedicine.org/news-release/michigan-medicine-notifies-patients-health-information-breach
- https://mari.umich.edu/files/documents/hipaa_iha_uccf_7a.pdf
- https://az.research.umich.edu/medschool/guidance/hipaa
- https://www.med.umich.edu/compliance/about/index.html
- https://wmich.edu/legal/hipaa/hipaahybrid
- https://hr.umich.edu/benefits-wellness/health-well-being/health-plans/hipaa-compliance-other-important-federal-notices
- https://www.hipaajournal.com/phi-of-university-of-michigan-health-service-and-school-of-dentistry-patients-exposed/
- https://www.cmich.edu/docs/default-source/president’s-division/general-counsel/hipaa/09222021-hipaa-privacy-practicesdf000af6-b85e-4d43-8f00-be2a4185d967.pdf?sfvrsn=b7d9aed6_3
- https://az.research.umich.edu/medschool/policies/statement-practice-hipaa-and-u-m-study-team-members-outside-michigan-medicine
- https://orsp.umich.edu/sites/default/files/resource-download/basics_of_data_use_agreements.pdf
- https://safecomputing.umich.edu/protect-the-u/safely-use-sensitive-data/using-its-hipaa-services
- https://www.cmich.edu/docs/default-source/president’s-division/general-counsel/administrative-policy-docs/12/p12002.pdf