Hackers cause breach impacting 49K in Michigan

The Michigan Department of Community Health has notified more than 49,000 individuals that a server of the Michigan Cancer Consortium containing their names, birth dates, Social Security numbers, cancer screening test results and testing dates was hacked.

The department does not consider the compromised data to be protected health information, however, and did not notify local media or the Health & Human Services Office for Civil Rights about the breach.

The information was hacked from a password-protected area of the Michigan Cancer Consortium website which is hosted on a private company’s server, according to an article published by The Detroit News. The information since has been moved to a secure department server.

Neither the department nor consortium, comprised of providers, payers and associations cooperating on cancer research, has placed a public notice of the breach on their websites. The notification letter to patients advises them to place a fraud alert with the three major credit bureaus. A spokesperson for the department told WWJ Newsradio in Detroit that the breached information was not a medical record, and did not include addresses or identifiable contact information, but were “simply testing reports.”

The compromised data were not medical records and therefore, no notification under HIPAA was sent to individuals, according to reports. Because the reports contained Social Security numbers, the Identity Theft Protection Act applied so the department contacted individuals about the breach and information on how to protect themselves against identity theft.

Determining the breach did not fall under the HIPAA breach notification rule, the department did not notify local media. The department’s Cancer Prevention and Control Section, where the information originated, is not a HIPAA-covered component of the Michigan Department of Community Health.