[ad_1]
Michigan Medicine alerted 57,891 patients Sept. 26 of a potential breach of their health information as the result of a July 30 cyberattack. In a press release, Michigan Medicine explained that an employee fell victim to a fraudulent multifactor authentication prompt, granting the attacker access to the contents of their email.
Exposed data included patients’ names, treatment information and medical record numbers. Patients were notified if they were affected by the breach.
In an email to The Michigan Daily, Michigan Medicine spokesperson Mary Masson wrote that patients’ financial and personal identification information remained secure.
“No patient financial information or Social Security Numbers were involved,” Masson wrote. “Michigan Medicine does not have reason to believe the accounts were compromised for the purpose of obtaining patient information, but as a precautionary measure, all affected patients have been advised to monitor their medical insurance statements for any potential evidence of fraudulent transactions.”
Upon discovering the breach, Michigan Medicine disabled the employee’s account, blocked the attacker’s IP address and changed related passwords. Masson wrote that an internal investigation held between Aug. 21 and Aug. 29 found no direct motivation for stealing data behind the cyberattack.
“We have not determined the motivation behind the cyberattack,” Masson wrote. “The employee involved in this incident has also been subject to disciplinary action under Michigan Medicine policies and procedures.”
Masson further wrote that Michigan Medicine is bolstering its cybersecurity through employee training and strengthening of digital infrastructure.
“Michigan Medicine has and continues to use robust training and education materials to increase employee awareness of the risks of these very sophisticated cyberattacks,” Masson wrote. “Additionally, Michigan Medicine is taking swift action to ward off future cyberattacks that target employees, including decreasing time emails are retained, modifying our identity verification processes to address Michigan Medicine systems, and increased education on the use of the multifactor identification.”
The July 30 attack occurred two months after a series of cyberattacks on employee email accounts that exposed the information of up to 56,953 patients on May 23 and May 29.
In an interview with The Daily, Engineering junior Andre Quimper Osores, president of WolvSec, a student organization dedicated to cybersecurity, explained that phishing incidents like the July email breach often begin with a message that appears to come from a trusted source.
“Phishing is when a malicious actor … via a fake email, a fake website, a fake SMS, tricks a user into giving up their credentials,” Osores said. “For example, it could be a fake email that’s supposed to be from your bank, asking you to enter your username and password on (the) website, and then that website would be controlled by a malicious actor.”
Osores also said keeping employees well-informed and expanding security measures could help to prevent future attacks.
“It really is an awareness problem more than a security problem, because in this case, the employee was tricked into giving up their credentials,” Osores said. “Spreading awareness is the best way of preventing things like this.”
LSA senior Jennifer Meng, a member of the Spencer-Segal neuroscience laboratory, said being extra diligent when working with patient information is vital to protect against cyberattacks.
“Anyone who has access to patient health information or has those certain privileges and are aware that they are the holders of this information should be extra careful in case of these weird or unprompted, unsolicited authentication attempts,” Meng said. “Being in this position where you know that you’re directly responsible for the patient’s health information and that any account information that is leaked on your end could possibly have an impact on those patients’ health records, people should be more mindful when they are trying to access those records or trying to access accounts.”
Meng also said health information is sensitive and should remain confidential to protect patients and give them agency over sharing their treatment information.
“Patient information, it’s a big identifier,” Meng said. “It can contain a lot of really personal and private things that patients may not want to get out to the public. … Keeping patient information private — in between the patients and their health care providers — is really necessary for ensuring that every piece of information that the patient gives out is controlled under their consent.”
Daily Staff Reporter Marissa Corsi can be reached at macorsi@umich.edu.
Related articles
[ad_2]
Source link
