Ascension Michigan data breach may have exposed some patients' Social Security numbers – Detroit Free Press

About 80% of data breaches had a root cause in employee negligence, a study conducted by the Ponemon Institute finds.

A data breach at Ascension Michigan may have exposed some patients’ Social Security numbers and other health information.

The health system said an unauthorized individual inappropriately accessed patient information in its electronic health record between Oct. 15, 2015, and Sept. 8, 2021.

It became aware of suspicious activity in the electronic health record and immediately began an investigation.

On Nov. 30, after an extensive review, the health system said,  it determined how long the person accessed patient information. The user’s access was immediately ended.

“The information that may have been accessed for the affected individuals (note, not all individuals may have had all information affected): full name, date of birth, address(es), email address(es), phone number(s), health insurance information, health insurance identification number and carrier, dates of service, diagnosis, treatment related information, and, in some cases, Social Security numbers,” according to a news release dated Feb. 23 that was provided to the Free Press on Friday.

Some patients received letters in the mail about the breach this week. One of the letters indicated that in some cases, the information was further disclosed to third parties.

More:Michigan Medicine data breach may have exposed some patients’ health information

Ascension Michigan spokesperson Airielle Taylor provided the Free Press a  news release for southeast Michigan patients of Ascension Michigan. It did not specify how many patients were affected or how many had more sensitive personal information, such as Social Security numbers and health information, exposed.

Taylor said in an email that the health system was only sharing what was included in the release.

See also  A Mom’s $97,000 Question: How Was Her Baby’s Air-Ambulance Ride Not Medically Necessary?

The health system is offering free credit and identity theft protection-monitoring services to the affected patients as well as guidance on how they can protect their information from potential misuse.

It also is recommending that people remain vigilant in responding to anyone who may know their medical information related to care received at an Ascension Michigan facility and to report to the health system anyone trying to contact them regarding medical services or indicating they are partnering with Ascension to offer services.

More:Why you can’t ignore the hackers and data breaches, like one at T-Mobile

Ascension Michigan said it has taken steps to further protect its patient information, including a “review of internal controls and further improvement to the processes intended to safeguard patient information.”

The health system reported the breach to law enforcement and said it will cooperate with any investigation.

It also set up a call center from 9 a.m. to 6:30 p.m. Monday through Friday at 855-568-2066 for anyone who has questions.

This is the second health system in the metro Detroit area this week to release information about a data breach.

Michigan Medicine said Thursday that it was notifying about 2,920 patients that some of their health information may have been exposed when an employee’s email account was compromised Dec. 23. This resulted in a cyberattacker gaining access to and using the account to send phishing emails, the health system said.

The employee learned about the breach when suspicious activity occurred Jan. 6 and immediately reported the situation to the health system’s information technology department. The email account was disabled and immediate password changes were made.

See also  The Driver Dictating Prescription Drug Benefits: PBMs Explained - Bloomberg Law

“No evidence was uncovered during our investigation to suggest that the aim of the attack was to obtain patient health information, but data theft could not be ruled out,” according to a news release from Michigan Medicine.

“Some emails and attachments were found to contain identifiable patient information, such as: names, medical record numbers, addresses, dates of birth, diagnostic and treatment information, and/or health insurance information,” it stated.

An aerial view of University of Michigan Hospital.

“The emails were job-related communications for coordination and care of patients, and information related to a specific patient varied, depending on a particular email or attachment. However, no Social Security numbers, credit card, debit card or other financial account information were discovered.”

Notices were mailed to the affected patients or their personal representatives starting Thursday. Additional technical safeguards were put in place on the health system’s email system and infrastructure.

More:‘Under attack’: How criminals stole hundreds of millions in unemployment benefits

Last month, Michigan Medicine notified 269 patients about a separate data breach found Jan. 27 in which a newly hired employee accessed patient medical records without a business need between Dec. 1 and Jan. 25.

Contact Christina Hall: chall@freepress.com. Follow her on Twitter: @challreporter.

Support local journalism. Subscribe to the Free Press.