A data breach that exposed patients' personal health information (PHI) for almost three months went undetected for half a year at a Michigan healthcare group.

Hackers gained access to patient data placed in the safekeeping of Munson Healthcare Group by compromising the email accounts of at least two employees. Patient records were accessed from July 31, 2019, to October 22, 2019, but the breach went undetected until January 16, 2020.

What data was compromised in the prolonged attack varied from patient to patient, but information accessed by the hackers included financial account numbers, driver’s license numbers, dates of birth, and Social Security numbers.

Health information, including insurance details, treatments, and diagnostic data were also exposed by the breach.

Exactly how many patients were affected by the breach has not been revealed by Munson Healthcare, but given the size of the group, the number could potentially be high. From its base in Traverse City, Munson Healthcare operates nine hospitals in 30 counties spread through Northern Michigan.

The group has 7,500 employees and covers an area of 11,177 square miles, which is roughly the size of Vermont and Delaware combined.

“This incident does not affect all patients of Munson Healthcare and not all information was included for all individuals. Munson Healthcare is now notifying affected individuals so that they can take steps to protect their information,” a spokesperson for Munson Healthcare said.

The group went on to say that no evidence had been found to indicate that the information exposed in the breach had been acquired or misused by any third parties who accessed it. Given how long it took the group to detect that the breach had even occurred, this statement may come as cold comfort to Munson patients whose data was accessed by hackers.

"Patient privacy is a top priority and we take this matter very seriously,” said Lucas Otten, Munson Healthcare's director of information security.

“Munson regularly trains and educates all employees on cybersecurity awareness and risks, and we use a 24x7 staffed cybersecurity response team in partnership with other Michigan hospitals to detect and respond to suspicious incidents as they happen."