Munson Healthcare employee emails were hacked during a three-month period in 2019, the organization announced Wednesday, with an external third party able to access protected patient information including dates of birth, diagnostic and treatment details, driver's license numbers, and Social Security numbers.

Munson said it became aware of a "recent data security incident" during which certain employee email accounts were accessed by an unauthorized third party. "Upon learning of this issue, Munson Healthcare commenced a prompt and thorough investigation, working closely with external cybersecurity professionals," Munson said in a written statement. After a forensic investigation and comprehensive manual document review, Munson discovered that employee email accounts accessed between July 31 and October 22 "contained identifiable personal and/or protected health information."
 
Affected email accounts contained the personal and protected health information of some patients, including names, dates of birth, insurance information, and treatment and diagnostic information. Some individuals’ financial account numbers, driver’s license numbers, and Social Security numbers were also contained in the emails. "This incident does not affect all patients of Munson Healthcare, and not all information was included for all individuals," according to Munson. "Munson Healthcare is now notifying affected individuals so that they can take steps to protect their information."

According to Lucas Otten, Munson Healthcare system director of information security, the organization has "no evidence that any information has been acquired or misused by the unauthorized third party that accessed it." Munson Healthcare is sending notification letters to affected patients with available mailing addresses and is setting up a dedicated call center for patients who may have been impacted or have questions about the security breach. The response line can be contacted at 1-844-904-0961 and is available Monday-Friday from 9am-6:30pm E.S.T.

Munson Healthcare is also offering complimentary credit monitoring to individuals whose Social Security numbers were contained in the email accounts. Notified patients should monitor insurance statements for any transactions related to care or services that have not actually been received. 
 
"Patient privacy is a top priority, and we take this matter very seriously," said Otten. "Munson regularly trains and educates all employees on cyber security awareness and risks, and we use a 24-7 staffed cyber security response team in partnership with other Michigan hospitals to detect and respond to suspicious incidents as they happen. As cyber security threats continue to evolve, we will continue evolving our defenses to match and will implement additional technical safeguards to prevent the recurrence of similar incidents."