Patients’ PHI Impacted by Phishing Attacks on Virginia Gay Hospital and Michigan Medicine

Virginia Gay Hospital in Vinton, OH informed a number of patients concerning the potential exposure of their PHI due to the unauthorized access of an employee’s email account that occurred on June 18, 2019.

The hospital retained the assistance of a computer forensics agency to investigate the incident. They found the following information contained in the email account was compromised: names, Social Security numbers, birth dates, and medical information of people who received outpatient services from Virginia Gay Hospital. No information could confirm that patient information was viewed or copied.

The hospital sent breach notification letters to the affected patients, though there’s no information yet as to the exact number of persons affected by the breach.

Phishing Attack on Michigan Medicine

Michigan Medicine informed around 5,500 patients concerning a phishing attack that resulted in the exposure of some of their protected health information (PHI).

The phishing attack on Michigan Medicine happened in July. Phishing emails that contain a link to a website used to harvest login credentials were sent to 3,200 employees.
Three employees responded to the phishing emails and disclosed their login information. The unauthorized persons accessed the email accounts and used the account to send other phishing emails. Michigan Medicine discovered the suspicious activity in the accounts on July 8, 9 and 12, 2019 and changed the account password to stop more unauthorized access. The firm likewise changed the passwords of all email accounts that got phishing emails.

Two compromised accounts contained patient information. In addition to a patient’s name, one or more of the listed information might have been compromised: birth date, address, medical record number, diagnostic records, treatment information, health insurance records and Social Security number of certain patients.

There was no report obtained that suggest any patient information was viewed or copied; nonetheless, data theft cannot be ruled out 100%. Therefore, Michigan Medicine assumed the compromise of patient data. The company provided the impacted patients with credit monitoring services for free and directed them to monitor their financial accounts and insurance statements for possible fraudulent transactions.

Other technical security procedures will be implemented to strengthen email security. Employees will have more security awareness training.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at