Michigan Medicine Blames Poor Password Management for Recent Data Breach

Michigan Medicine is warning more than 56,000 people that their data, including names, addresses, and diagnostic and treatment information, may have been exposed to hackers due to poor cybersecurity practices by its staff.

Michigan Medicine is the academic medical center of the University of Michigan, in Ann Arbor. It comprises the University of Michigan Medical School and affiliated hospitals and healthcare centers.

Three emails hacked

In May, an unauthorized party accessed three Michigan Medicine employee email accounts in what the university labels as a clear “cyberattack.” The affected accounts were disabled, passwords were changed, and the perp’s IP address was blocked as quickly as possible to prevent further access, says the school.

Investigators found no indication that the attacker’s aim was to obtain patient information, but data theft could not be ruled out either.

“As a result, all the emails involved were presumed compromised and the contents were reviewed to determine if sensitive data about patients was potentially impacted,” according to the announcement.

Some of the emails accessed contained identifiable patient and insurance guarantor information, such as names, medical record numbers, addresses, dates of birth, diagnostic and treatment information, or health insurance information.

The emails accessed by the attacker had no credit card, debit card, or bank account numbers, the organization says. However, the Social Security Numbers for at least four patients were involved. Those four patients are receiving separate notices based on the risk associated with this leak.

Poor password management

Michigan Medicine says it is taking measures to prevent such events from ever happening again, including strengthening password management and enforcing employee training on socially engineered attack vectors.

“Michigan Medicine staff will receive additional education on these topics, such as how social engineering attacks work, the need to select strong passwords, and the need to use different passwords for multiple sites,” according to the notice.

“While Michigan Medicine does not have reason to believe the accounts were compromised for the purpose of obtaining patient information, as a precautionary measure, all affected patients have been advised to monitor their medical insurance statements for any potential evidence of fraudulent transactions,” the university adds.

Password management remains a major weak point in today’s digital landscape according to the Bitdefender 2024 Consumer Cybersecurity Assessment Report released in April this year. Our survey found that 37% of netizens write down their passwords, 18.7% use the same password for three or more accounts, and 15.8% use the same password for at least two accounts.