Michigan Medicine Discloses Email Account Breach

Michigan Medicine has notified patients of an employee email account breach which exposed health information of about 33,850 patients. 

From August 15th through August 23rd, a cyber attacker targeted Michigan Medicine employees with an email phishing scam, luring employees to a webpage designed to get them to enter their Michigan Medicine login ingo. Four employees entered their info and then inappropriately accepted MFA prompts, allowed the attacker to access their email accounts.


John Stevenson, Director of Product at Cyren had this to say:

     “The fact that four separate employees followed the phishing link and accepted multi-factor authentication prompts shows how sophisticated these attacks can be. It is as a stark reminder that phishing continues to plague the healthcare industry. Of the 684 breaches of healthcare data reported to the US Government, 41% of them resulted from email incidents. The majority of those email incidents (74%) were from phishing vs. malware or accidental disclosure.

Many companies might blame the user in situations such as this for not heeding the lessons of the corporate Security Awareness Training (SAT) program. However, the reality is that SAT must be augmented with the right inbox security. What is needed is additional assistance for the user such as Scan and Report buttons within the Outlook inbox that empower the user to put the lessons learned from SAT into practice then and there, taking a proactive approach to email security.”

This illustrates the fact that people are the weakest point in cybersecurity. And organizations need to focus on making that a non factor to stop incidents like this from happening.

Leave a Reply

%d bloggers like this: