TRAVERSE CITY — An unauthorized third-party accessed Munson Healthcare’s electronic health records a year ago, potentially breaching more than 100,000 patients’ medical records and personal data.
The breach came through Cerner, the health care system’s third-party electronic health record vendor, and compromised information like patient names, Social Security numbers and medical records containing medical record numbers, doctors, diagnoses, medicines, test results, images, care and treatment.
Letters went out to 100,181 patients on Tuesday, Jan. 20, from Munson Healthcare, said Chief Legal Officer Rachel Roe, and Michigan Attorney General Dana Nessel issued a consumer alert about the breach Friday.
Munson Healthcare also describes the Cerner incident on its website, saying Cerner will offer patients identity protection services and three-bureau credit monitoring for two years, including “internet surveillance” for those who enroll by calling 833-931-5700.
According to Cerner’s parent company Oracle Health, two of Cerner’s servers were awaiting migration to Oracle Cloud at the time of the breach, and a hacker has claimed to have stolen the data. Oracle Health attorneys said up to 80 hospitals nationally may be affected, according to The HIPAA Journal.
The timeline between the breach and notifying patients appeared to be an issue with Nessel, who paired her announcement with a plea to strengthen Michigan law to require companies that experience a data breach to immediately inform her office to more quickly alert the public of the security issues that impact them.
“Because Michigan law does not currently require companies to immediately notify my office when a data breach occurs, we often don’t know who was impacted or when until well after a concerning cyber incident,” Nessel said. “These delays put consumers at higher risk of identity theft, and our state needs stronger laws to better protect Michiganders from bad actors. I urge anyone who receives a notice that their personal information may have been compromised to consider taking advantage of the free credit monitoring resources being offered.”
She advocated for a series of bills outlining stronger identity theft protections that passed the state Senate in August on a 19-15 vote and is currently in the House of Representatives’ Government Operations subcommittee.
As for the year-long delay in notification, Munson attributed the lag to Cerner, which in turn pointed at federal law enforcement.
“The vendor later informed us that law enforcement investigators directed a delay in notifying patients, as well as hospital customers, about this incident because it could have impeded their investigation,” the letter states.
Roe added that Munson Healthcare learned about the breach in August, received the names of impacted patients in October, and, in the interval between October and this week, matched patient names with addresses to get the letters out.
“Data security is a top priority for Munson, and we apologize to our patients for the inconvenience this causes,” Roe said Friday, and encouraged people to read the letter and sign up for free monitoring services.
Besides preventative actions like watching out for phishing emails; strengthening or changing passwords; deleting unnecessary data or files; using multi-factor authentication on devices and accounts; and reviewing credit reports, Nessel additionally advised patients to be aware of signs that someone is using their medical information, like:
Getting a bill from a doctor for services you didn’t receive.Finding errors in your Explanation of Benefits, like services never received or medications you don’t take.Calls from debt collectors about medical bills you don’t owe.Medical debt collection notices on your credit report that you don’t recognize.A notice from your health insurance company saying you’ve reached your benefit limit.Denied insurance coverage due to a pre-existing condition you don’t have.
Munson’s website additionally offers a reference guide that includes information on ordering a credit report, reviewing accounts and placing fraud alerts and freezes.