TRAVERSE CITY — A data breach at Munson compromised patients’ personal information, including treatment and diagnostic details.
Hundreds of patients’ Social Security numbers were exposed and thousands of patients’ protected health information was exposed.
State and federal law enforcement have been contacted, said Lucas Otten, Munson Healthcare system director of information security.
The health care system announced Wednesday that it would also be contacting affected patients, which includes people in Cadillac. Munson stressed that while patient information could have been accessed by scammers, there was no evidence the information has been misused.
The data leak was the result of a phishing scam. Twenty-nine Munson employees fell victim to the scam, and those employees had patient information in their inboxes, Otten told the Cadillac News by phone Wednesday.
Phishing scams trick people into giving up their email credentials by appearing to come from some official or trusted source, such as another hospital employee.
In this case, scammers targeted Munson employees throughout the health care system from July 31 to Oct. 22, 2019. Otten said the information technology team was responding all along to the phishing campaign. Munson brought on a third-party cybersecurity team during the first week of August to investigate and stop the attack. Investigators concluded their work on Jan. 16, 2020, telling the health care system that “the email accounts accessed between July 31 and October 22, 2019 contained identifiable personal and/or protected health information,‘ according to a news release from Munson Healthcare.
Inside employee inboxes, scammers may have found patients’ names, dates of birth, insurance information, treatment and diagnostic information, financial account numbers, driver’s license numbers and Social Security numbers.
Not all Munson patients were affected, and of those that were, not all of their information was at risk.
When asked why so much information was potentially available in an email, Otten explained that in a health care system of Munson’s geographic size, with multiple facilities across several counties, email is a useful tool.
But even an email with relatively little content can be “personally identifying.‘
For example, an email containing a first and last name plus a diagnosis would be considered personal health information, and that person can expect to be contacted by Munson Healthcare regarding the data breach.
Some people whose information was compromised won’t be contacted because there’s not enough information about them in the email.
But if Munson can’t identify you based on the information in the email, scammers shouldn’t be able to, either.
Even patients who haven’t used Munson’s services for quite some time could have had their information compromised if their information was still in the inbox of an employee who clicked on a link within the phishing email.
Otten said no employees had been disciplined but those that were victims of the scheme have received additional training. Otten also said that there was no one demographic or defining characteristic of the employees who were targeted or who fell victim.
“There wasn’t really any rhyme or reason,‘ Otten said. Phishing targets “were all just Munson employees with a Munson email.‘
C-suite leaders are often the targets of phishing scams. No Munson c-suite officials were victims of this scam.
Phishing schemes work not because of a failure of technology but because scammers target flaws in human nature, Otten said.
In Otten’s experience, “a doctor is just as likely to fall for it as a registration clerk.‘
Munson Healthcare will be sending letters to patients whose information may have been compromised.
There is no evidence that exposed information is being downloaded, used or retrieved maliciously, but Munson officials want people to know it happened, Otten said.
Patients whose Social Security numbers were leaked will get free credit monitoring.
“Patient privacy is a top priority and we take this matter very seriously,‘ added Otten. “Munson regularly trains and educates all employees on cyber security awareness and risks, and we use a 24x7 staffed cyber security response team in partnership with other Michigan hospitals to detect and respond to suspicious incidents as they happen. As cyber security threats continue to evolve, we will continue evolving our defenses to match and will implement additional technical safeguards to prevent the recurrence of similar incidents.‘
Munson Healthcare has set up a dedicated toll-free response line for patients to ask questions about the data breach.
The phone number is 1-844-904-0961. It is available Monday through Friday, 9 a.m. to 6:30 p.m.