Report on Patient Privacy 25, no. 10 (October, 2025)
A recent breach of protected health information (PHI) by the University of Michigan might be a painful experience for some 1,000 individuals who were potential subjects in a research trial. But it also might be painful for members of its institutional review board (IRB), because, in an unusual admission, Michigan Medicine blamed its IRB for the unallowable disclosures.
The breach may have the positive effect, however, of reminding members of the research community that HIPAA applies to their work when PHI is involved and that protections have to encompass the lifecycle of a study—including, and perhaps beginning with, recruitment approaches.
And that’s something they won’t want to forget; as RPP previously reported, HHS plans to publish a final revised Security Rule, completing the rulemaking process that began under the Biden administration. It also notably plans to finalize a Privacy Rule that the first Trump administration published five years ago. A Sept. 4 update to a federal website that tracks regulations established May 2026 for publication of these two rules.[i]
With the exception of an Aug. 14 news release Michigan Medicine issued, little is known about the breach.[ii] RPP requested more information and sent a series of questions to Michigan Medicine, but officials refused to comment beyond the news release. They would not disclose the source of the PHI, for example, or say what kind of study was involved and which entity among its many components was conducting it.
According to its website, Michigan Medicine “includes U-M Medical School and University of Michigan Health, which includes the C.S. Mott Children’s Hospital, Von Voigtlander Women’s Hospital, University Hospital, the Frankel Cardiovascular Center, Kellogg Eye Center, University of Michigan Health-West, University of Michigan Health-Sparrow and the Rogel Cancer Center.” The medical school “is one of the nation’s biomedical research powerhouses, with total research awards of more than $800 million.”
The postcards were mailed on June 27, according to the news release, and the breach was reported to the HHS Office for Civil Rights (OCR) on Aug. 13, the federal breach reporting website shows. It is now listed under the “archive” section, which contains either “resolved breach reports and/or reports older than 24 months.” Given that the incident happened this summer, it appears OCR accepted how Michigan Medicine responded and does not plan to take any enforcement action related to this breach.
According to the news release, “a Michigan Medicine research study mailed postcards to individuals to recruit the recipients of the postcards into the research study” on June 27. “The postcards were sent without an envelope, and the body of the postcard included protected health information that was potentially exposed to anyone who may have come in contact with the postcard.”
Michigan Medicine said staff took “swift action” after learning of the “error.” They “immediately stopped sending the postcards to additional potential study participants,” the announcement said. Officials said an investigation concluded the IRB “mistakenly approved the use of this postcard.”
Exposed PHI Included Diagnoses
The IRB “is taking additional measures to ensure that a similar incident will not happen again, including staff-wide additional education about protecting PHI in communication materials,” the announcement continued. “Leaders at Michigan Medicine expressed regret that this incident has occurred.”
Michigan Medicine did not offer any identity theft protection services following this breach, instead advising affected individuals “to monitor their medical insurance statements for any potential evidence of fraudulent transactions.”
Interestingly, the description of the incident on OCR’s website doesn’t mention any involvement by the IRB. It does, however, reveal the types of PHI that were disclosed. It states that the University of Michigan “reported that an employee mailed a postcard which exposed the protected health information (PHI) of 1,015 individuals. The PHI involved included names, addresses, and diagnoses/conditions. The CE notified HHS, affected individuals, and the media. In response to the breach, the CE implemented additional administrative and technical safeguards to better protect PHI. Staff were retrained.”
As noted earlier, Michigan Medicine would not answer RPP’s questions. RPP asked why the IRB would have approved such a mailing and how the incident came to its attention, as well as why no credit services were provided.
This incident is just one of nine Michigan Medicine reported to OCR beginning in 2018 that collectively affected 166,802. Two breaches—reported last year and in 2023—together affected more than 118,000, according to the federal website.
Four Email Breaches Reported in 2024
Michigan Medicine issued two news releases about breaches in 2024—in July and September. On July 22, it said that three Michigan Medicine employee email accounts were compromised due to a cyberattack on May 23 and May 29, affecting 56,953 individuals.[iii]
The July 2024 announcement said affected email accounts “were disabled as soon as possible so no further access could take place” and that officials “did not find any evidence to suggest that the aim of the attack was to obtain patient health information, but data theft could not be ruled out. As a result, all the emails involved were presumed compromised and the contents were reviewed to determine if sensitive data about patients was potentially impacted.”
The organization said it blocked the cyberattacker’s IP address and made “immediate password changes.”
Although no financial information was involved, “some emails and attachments were found to contain identifiable patient and/or insurance guarantor information, such as: names, medical record numbers, addresses, dates of birth, diagnostic and treatment information, and/or health insurance information. The emails were job-related communications for payment and billing coordination for Michigan Medicine patients,” Michigan Medicine said. However, four patients’ Social Security numbers were involved. They “received separate notice,” the organization said.
In response, “Michigan Medicine has strengthened existing processes regarding the security of employee passwords and email accounts,” it said at the time. “Additionally, all Michigan Medicine staff will receive additional education on these topics, such as how social engineering attacks work, the need to select strong passwords, and the need to use different passwords for multiple sites. We are also strengthening existing processes to ward off social engineering attacks targeting Michigan Medicine employees.”
In its Sept. 26, 2024, announcement, Michigan Medicine said an employee’s email account had been “compromised” by a cyberattack on July 30, potentially affecting 57,891 individuals.
“Michigan Medicine has and continues to use robust training and education materials to increase employee awareness of the risks of cyberattacks. Additionally, Michigan Medicine is taking swift action to ward off future cyberattacks that target employees including decreasing time emails are retained, modifying our identity verification processes to access Michigan Medicine systems, and increased education on the use of the multifactor identification. The employee involved in this incident has also been subject to disciplinary action under Michigan Medicine policies and procedures,” it said.[iv]
Michigan Medicine also didn’t offer credit services following these breaches. It is not clear if, or how, these two 2024 email breaches were related, as they don’t appear as separate entries on OCR’s website.
Attacks Targets Included Email, Network
The OCR website lists the following University of Michigan/Michigan Medicine breaches, including the date, type and number of affected individuals, from the most recent to oldest:
◆ 8/13/25: unauthorized access/disclosure; paper/films; 1,015 individuals affected
◆ 7/19/24: hacking/IT incident; email; 56,953 individuals affected
◆ 10/23/23: hacking/IT incident; network server; 61,033 individuals affected (this is the only entry attributed solely to the University of Michigan and that does not mention Michigan Medicine)
◆ 10/25/22: hacking/IT incident; email; 33,857 individuals affected
◆ 3/3/22: hacking/IT incident; email; 2,921 individuals affected
◆ 10/16/20: unauthorized access/disclosure; email; 1,062 individuals affected
◆ 8/16/19: hacking/IT incident; email; 5,466 individuals affected
◆ 9/28/18: unauthorized disclosure; paper/film; 3,624 individuals affected
◆ 6/25/18: laptop theft; 871 individuals affected
OHRP Confirmed Breach Reporting Duties
Michigan Medicine is not the first to experience a breach of PHI involving a study recruitment postcard or email, and depending on the funding of the research, privacy incidents may also be reportable to the HHS Office for Human Research Protections (OHRP). The Common Rule, which OHRP enforces in research supported by HHS, requires privacy protections. Michigan Medicine would not say whether the breach was or was not reported to OHRP.
On July 26, 2024, the University of Alabama at Birmingham (UAB) announced that its School of Nursing “informed 1,655 patients this week of an incident in which a study recruitment postcard sent to the patients inadvertently shared [PHI]. The postcard—intended to encourage participation in a survey related to a breast cancer diagnosis—displayed the patient’s first and last name, address and inferred their diagnosis.”[v]
UAB sent a letter of apology that “included the nature of the breach and the information at risk, and reiterated the institution’s commitment to patients, as well as steps taken in response to the incident.” Quoting from the letter, UAB said it “takes the protection of our patients’ and study participants’ privacy and information very seriously” and told patients “that appropriate actions have and will continue to be taken to prevent this type of incident from occurring in the future.”
In 2019, OHRP issued a determination letter to Columbia University regarding a 2016 breach that occurred when it sent participants in an HIV study an email inviting them to join a new study.[vi] Research staff included 145 email addresses in the CC section of the email. The same investigator was involved in both studies and reported the breach “to the IRB as an unanticipated problem involving risks to subjects or others,” but delayed reporting it to OHRP because of an ongoing investigation.
OHRP confirmed that the incident was ultimately reported to the agency and said it approved of the corrective actions Columbia had taken, which included terminating the study coordinator and apologizing to study participants. A new best practices manual was developed for the study team, which also retook the university’s privacy and security information training.
A version of this story appeared in Report on Research Compliance, RPP’s sister publication. For more information, visit https://www.hcca-info.org/RRC.
