Beaumont announces data security breach

The Detroit News

Beaumont Health officials on Tuesday announced a data security incident they said affected as many as 6,000 patients.

The incident involved access to "certain employee email accounts by an unauthorized third-party," the eight-hospital system said in a statement. The accounts contained "the personal and protected health information of certain patients, including name, date of birth, diagnosis, diagnosis code, procedure, treatment location, treatment type, prescription information, Beaumont patient account number and Beaumont medical record number."

Those affected represent about 0.3% of Beaumont's 2.3 million patients, officials said.

Exterior of Beaumont hospital in Royal Oak, Michigan on March 31, 2020.

"Upon learning of this issue, Beaumont promptly disabled the accessed email accounts and required mandatory password resets to prevent further misuse," the notice said. "After an extensive forensic investigation and comprehensive manual document review, we discovered on June 5, 2020 that one or more of the email accounts accessed between January 3, 2020 and January 29, 2020 contained identifiable personal and/or protected health information."

The probe did not determine if any information was viewed or acquired by the unauthorized third party, "and Beaumont has no knowledge of any misuse of data by any unauthorized individuals," the hospital system said Tuesday.

Although Beaumont’s electronic medical record system was not affected, officials are issuing notices to anyone whose information might have been contained in the accessed accounts.

The issue comes three months after Beaumont notified patients of a separate phishing attack that started in 2019 that officials said could have exposed the personal information of up to 112,000 people.

Beaumont has since "taken significant measures to improve internal procedures to identify and remediate future threats in order to minimize the risk of a similar incident in the future, including improving its multi-factor authentication software, conducting a risk analysis, and providing additional training and education to ... employees on identification and handling of malicious emails," officials said Tuesday.

Notified patients are asked to monitor insurance statements for any transactions related to care or services they did not receive.

For questions or information, a response line is available from 9 a.m. to 6:30 p.m. EST at (844) 925-2476 Monday through Friday.