by John R. Fischer
, Senior Reporter | April 21, 2020
A phishing email breach at Beaumont Health may have put the data of 112,000 people at risk.
The Michigan-based health system says identifiable personal and protected health information of about 112,000 patients was compromised in the breach, in which certain employee email accounts were accessed by an unauthorized third-party nearly a year ago.
“Beaumont has no knowledge of any inappropriate or misuse of any data,” it said in a statement. “Beaumont’s electronic medical record system was not impacted by this incident and remains secure. However, out of an abundance of caution, we are issuing notices to anyone whose information may have been contained in the accessed accounts.”
The hacking took place between May 23 and June 3, 2019, with Beaumont discovering the breach in March 2020. Information exposed in a majority of cases included names, dates of birth, diagnoses, treatment, medical record numbers, and/or prescription information. Roughly 460 cases had social security numbers, back account information, health insurance information, and/or driver’s license or state identification numbers exposed.
Beaumont launched a “prompt and thorough” forensic investigation and “comprehensive” manual document review, teaming up with external cybersecurity professionals to analyze the situation, but admits it was unable to determine for sure if any information was actually acquired by the unauthorized third party.
Those compromised were alerted to the breach in an email sent out Friday. Beaumont has offered credit monitoring to the 460 whose financial information was compromised, except for 10 patients who have since died.
Less than 5% of the eight-hospital health system’s 2.3 million patients were affected by the incident.
Beaumont has since implemented additional technical safeguards and is providing additional training and education to Beaumont employees on how to identify and manage email-related incidents like this.
Notified patients are encouraged to monitor insurance statements for suspicious activity and any transactions related to care or services that have not actually been received.