Michigan Medication customers of about 34k received notifications that their health information was possibly exposed in a data breach.
Threat actors used a phishing scam to compromise employee email accounts which led the health system to alert 33,850 patients of the exposure.
The campaign was conducted between Aug. 15-23, when employees were lured to a webpage designed to get them to submit Michigan Medicine login information, adding four employee email accounts were accessed.
The health system discovered the email accounts were compromised on Aug. 23. Those accounts were disabled to prevent further access by the cyber attacker.
The information in email accounts included identifiable patient information such as name, medical record number, address, date of birth, diagnostic and treatment information and health insurance information, adding the owners of the email accounts used the information for job-related functions.
The email accounts did not contain any credit card, debit card or bank account numbers, officials said. One patient received a separate notice because their Social Security Number was involved.
This is the second reported data breach of 2022, as about 3,000 patients were affected by a different breach in March.