Recently, Ascension Michigan notified patients that an unauthorized individual was able to gain access to the company’s electronic health record system, resulting in personally identifiable information (PII) being compromised. Ascension Michigan detected “suspicious activity” in the organization’s Electronic Health Record (EHR), and on November 30, the hospital system’s investigation revealed that an unauthorized individual had inappropriately accessed patient data.
The EHR breach occurred between October 15, 2015, and September 8, 2021, according to Ascension Michigan’s Notice of Incident Involving Patient Information. Per Becker’s Hospital Review, data belonging to 27,177 patients were exposed.
Although accessed information may not be consistent across all patients, the health organization reports that some affected data elements could include:
- Full name
- Date of birth
- Email address(es)
- Phone number(s)
- Health insurance information
- Health insurance ID number and carrier,
- Dates of services
- Treatment-related information
- Social Security number
The U.S. Department of Health and Human Services Office for Civil Rights is currently investigating the data breach.
What Is Ascension Michigan?
Ascension Michigan, Inc., is a corporation based in East Lansing, Michigan. An expansive hospital system, the entity comprises the former St. John Providence Health System (with 18,000 employees and 2,033 licensed beds); the St. John Health System; and several other hospitals and healthcare facilities.
The corporation is a subsidiary of St. Louis-based Ascension Health, a national Catholic healthcare system founded in 1999. In the year of its founding, the organization operated hospitals and care facilities in 15 states and the District of Columbia and employed 87,000 associates. Today, Ascension Health has more than 26,000 sites of care in 19 states and the District of Columbia—142 hospitals and more than 40 senior care facilities. The company employs 150,000 associates and operates more than 28,000 beds.
In 2001, Ascension Health established Ascension Health Ventures to invest in medical and healthcare devices and technology.
In 2014, the organization established Ascension Senior Living. With more than 30 facilities in 11 states (and the District of Columbia), it is one of the largest nonprofit senior living providers in the country. That same year, Ascension created Ascension At Home, which offers post-acute services like hospice care, infusion therapy, and home care.
Ascension Michigan Facilities
According to the Ascension Michigan website, Ascension Health’s Michigan arm operates around 16 “sites of care,” including:
- Ascension Borgess Allegan Hospital
- Ascension Borgess Hospital
- Ascension Borgess-Lee Hospital
- Ascension Borgess-Pipp Hospital
- Ascension Brighton Center for Recovery
- Ascension Genesys Hospital
- Ascension Macomb-Oakland Hospital, Madison Heights Campus
- Ascension Macomb-Oakland Hospital, Warren Campus
- Ascension Providence Hospital, Novi Campus
- Ascension Providence Hospital, Southfield Campus
- Ascension Providence Rochester Hospital
- Ascension River District Hospital
- Ascension St. John Hospital
- Ascension St. Joseph Hospital
- Ascension St. Mary's Hospital
- Ascension Standish Hospital
What Happens After a Data Breach?
Despite any post-incident measures Ascension Michigan took or continues to implement, the wheels toward identity theft are already in motion.
The risk of identity theft increases any time a security breach exposes PII. Because it can take years before a victim becomes aware their identity has been stolen, the misuse of their identity has already wrecked damage to their credit rating and reputation.
Data thieves can hold on to stolen PII for a year—or longer—before using the information to commit identity theft, according to the U.S. Government Accountability Office. Once the data is used online or sold, the harmful effects from continued use may go on indefinitely. PII can live for several years on the “cyber black market” as a highly sought commodity.
These time elements create a challenge in identifying the full scope of damage that someone suffers when their personal data is stolen in a data breach. In 2012, hackers gained access to LinkedIn users’ passwords. It was four years before the criminals disseminated the stolen email and password combinations.
What This Could Mean for Ascension Michigan Patients
Ascension Michigan patients whose PII was accessed could very well experience the same type of delay in their data’s misuse. This lag could muddy the trail and result in greater harm to victims. When the victim’s personal data hits the market, the real work of repairing damaged credit and reputations begins. On average, it takes approximately 200 hours of work and a time span of six months to recover, according to Experian.
Some victims whose stolen data was used to file taxes, receive refunds, open financial accounts, take loans, obtain medical services, or other, more complex applications, could spend years stopping the fraud and reversing the damages. All the while, these individuals live with the anxiety of knowing that their PII is floating about the cybersphere, subject to misuse, with no way of knowing what price they will someday have to pay for this personal violation.
What You Should Know About Identity Theft
According to the Bureau of Justice Statistics’ National Crime Victimization Survey (NCVS), three identity theft occurs when any of three incidents takes place:
- There is an unauthorized use or attempted use of an existing account.
- There is an unauthorized use or attempted use of personal information to open a new account.
- There is a misuse of personal information for a fraudulent purpose.
These crimes affect more people than you might realize. In fact, in 2018, nine percent of people 16 or older reported having been the victims of identity theft, according to the NCVS’ Identity Theft Supplement (ITS). Ninety percent of these identity theft victims suffered the effects of misuse or attempted misuse of at least one bank account or credit card, the ITS reports. In 2018, identity theft cost Americans a total of $15.1 billion.
What Do Identity Thieves Do With Stolen PII?
A 2021 Federal Trade Commission (FTC) report identified the multiple ways in which criminals use the personal data they seize in a data breach. The top five outcomes are pictured below.
Source: Federal Trade Commission(FTC)
In an effort to convey the growing trend and impact of identity theft more clearly, the FTC used data from December 2021 (updated February 2022) to create the following infographic. It represents information gathered from reports from people who called FTC’s call center or went online to report incidents of identity theft.
It should come as no surprise the number of identity theft occurrences continues to grow. The Identity Theft Research Center (ITRC) published its annual data breach report, with data that shows the crime’s worsening in 2021. This was a record-breaking year for data breaches, with 1,862 hacking incidents. This represents an increase of 68 percent from the previous year and a 23 percent increase from the previous record of 1,506 data breaches. The ITRC reports that these incidents affected 294 million individuals.
Understanding Personally Identifying Information (PII)
When someone talks about PII, they are talking about an array of data types that a person could use to infer another person’s identity. According to the U.S. Department of Labor (DOL), this type of information can be classified in two categories.
Data That Directly Identifies a Person
Examples of data types that can be used on its own to identify an individual include:
- Social Security number
- Email address
- Telephone number
- Other identifying codes or numbers
Data That Combines With Other Data to Identify a Person
Other types of personal information do not uniquely identify a person. Rather, they are descriptors that are used in conjunction with other descriptors and data types to identify individuals. Examples include:
- Birth date
- Geographic indicator
Documents (electronic, paper, or other forms of media) that permit the contacting of an individual (physical or online) also constitute PII, according to the DOL.
Your PII Has a Monetary Value
The realization that PII has a real monetary value is nothing new. In 2009, scholars at the Richmond Journal of Law & Tech published a paper, Corporate Privacy Trend: The “Value” of Personally Identifiable Information (“PII”) Equals the “Value” of Financial Assets, which spotlighted this emerging currency.
According to the paper’s authors, Corporate America became increasingly dependent on electronic use PII had reshaped it as “a commodity that companies trade and sell. “PII, which companies obtain at little cost, has quantifiable value that is rapidly reaching a level comparable to the value of traditional financial assets,” the paper’s authors wrote.
You Have No Idea What You’re Worth
Former Federal Trade Commission (“FTC”) Commissioner, Pamela Jones Harbour, added her own observations to of PII’s emergence as a new form of currency, with larger data sets like those curated by Ascension Michigan offering the greatest profit potential. Harbour said:
A consumer’s sensitive, personally identifiable information should be treated much like banks treat a consumer’s cash. Banks hold our money in a savings or checking account… but the money is ours …. We have certain claims to and expectation rights in the money, even though it is not physically in our hands and another entity “possesses” it.
The Commissioner also pointed out that most consumers lacked a true understanding of the staggering volumes and types of personal data that businesses gather. Correspondingly, consumers do not grasp the value of their PII. As corporations become more transparent about this value—with some companies offering customers the option to sell their data to advertisers and other third parties—a new market for the sale and purchase of PII has naturally evolved.
Attaching Dollar Values to Data Types
In 2017, hackers accessed the mega credit reporting agency Equifax
PC Magazinefollowed the story and helped readers understand the possible outcome of this massive data breach. The editors published an article shining a bright light on the value of readers’ identities on the Dark Web. According to the article’s authors, people with high credit scores offer the most lucrative PII. Their Social Security numbers, full names, and birth dates could sell for $60-$80.
Safety Detective Cybersecurity Team published similar information more recently. The groups outlined several distinct forms of PII used in creating a new identity, along with their respective values:
- Passport: From $710
- Birth Certificate: From $240
- ID/Driver’s License: From $200
- Social Security Number/Card: $2-$5
An intelligence analyst told PC Magazine writers that these types of PII typically come to market as the result of computer hacking efforts. Because of the volume of personal information that schools and hospitals collect, these types of organizations have become favorite sources of such personal data.
What Are Your Legal Options if Your Data Was Hacked?
From a criminal justice perspective, federal prosecutors work with the Federal Bureau of Investigation, the United States Secret Service, the United States Postal Inspection Service, and other federal investigative agencies to prosecute fraud and identity theft cases.
Victims, too, can seek justice and fight to recover their financial losses by pursuing civil actions against the hacked entity that housed the PII. This pursuit can take the form of a class action lawsuit.
The Legal Basis for a Lawsuit
If you received a notice that your PII may have been compromised, you may have the right to file a lawsuit to recover damages for Ascension’s failure to maintain reasonable security measures to protect sensitive information.
Class action lawyers could work on behalf of class members to seek actual damages and injunctive relief, including public injunctive relief and declaratory relief, as well as other forms of relief as deemed appropriate by the Court.
What to Do If Ascension Michigan’s Data Breach Exposed Your Personal Information
When your PII is exposed through a data breach, it puts you at substantial risk of identity theft—which can prove damaging to your credit and your name and take great pains to repair.
If Ascension Michigan—or some other entity—sent you a letter notifying you that their system was breached and your PII exposed, consider the recourse of participating in a class action.