TRAVERSE CITY — Munson Healthcare is in the process of notifying thousands of patients that their personal and health care information was breached when some of its employee email accounts were hacked.
The breach affected all nine Munson hospitals in the region, said Lucas Otten, Munson’s director of information security.
After learning about the breach on July 31, a forensic investigation and manual document review was started, finding that a handful of hacked email accounts contained patients’ names, dates of birth, insurance information and treatment and diagnostic information, Otten said.
Of those, hundreds also included patients’ financial account numbers, driver’s license number and social security numbers, Otten said.
None contained credit card information, he said.
Investigators looked at more than a million documents, with the investigation ending on Jan. 16. At that time it was learned that the emails accessed between July 31 and Oct. 22 contained the sensitive and protected health information, Otten said.
Munson has set up a call center and is offering identity theft monitoring at no cost to those whose social security numbers were identified in the emails, Otten said.
Patients are also being told to watch their insurance statements for transactions for services that they did not receive.
That toll-free call center can be contacted at 1-844-904-0961. Calls will be taken from 9 a.m. to 6:30 p.m. Monday through Friday.
Letters are being sent to all affected patients for whom a physical address can be determined. Some of the emails only contained a person’s first initial and last name and no other identifiers so the physical address is not known, Otten said.
There is also a public notice on Munson’s website.
The breach does not affect all Munson patients and none of the information has been misused by the third party that accessed it, Otten said.
The hack came in the form of a carefully crafted email sent to Munson employees.
“It just took a few Munson employees to get duped to lead to this,” Otten said.
Those employees have been given some addition training and awareness, but Otten said they are considered victims.
Years ago scam emails were unsophisticated, making them easy to spot and easy to avoid. Now they are much harder to spot, he said.
The investigation was done by an external firm specializing in security breaches. Otten would not name the firm.
“Any details related to cyber defense, we keep those pretty close to the vest,” he said.
That keeps other hackers from trying the same thing, he said.
Otten said it is not known who the hacker is; the incident has been referred to local and state law enforcement, as well as to the FBI.