Michigan Medicine announces third breach in two years

The University of Michigan’s hospital center is contacting individuals impacted by a research study data breach. 

What happened

Michigan Medicine, the University of Michigan’s academic medical center, recently disclosed that they exposed private health information. 

The incident stemmed from a research study. On June 27th, 2025, Michigan Medicine mailed postcards to individuals as a recruitment effort for a research study. The postcards were sent without an envelope and the body of each card included protected health information. This information was potentially exposed to anyone who may have come in contact with or viewed the postcard. 

Michigan Medicine has begun sending out notices to the impacted individuals, approximately 1,015.

Going deeper

Michigan Medicine stated that as soon as they became aware of the incident, the researchers immediately stopped sending the postcards to additional study participants. They stated, “An  investigation was initiated and found that the University of Michigan’s Institutional Review Board (IRB), a panel of staff that is responsible for human subjects research oversight, mistakenly approved the use of this postcard.” 

Jeanne Strickland, Michigan Medicine Chief Compliance Officer, said, “We will analyze this incident and review our safeguards and make changes if needed to protect those we care for.” 

In the know

According to the HHS, Michigan Medicine has experienced 8 data breaches since 2018, including two in 2024 that impacted over 50,000 individuals. The majority of data breaches, such as accidental disclosures or phishing attacks, are preventable with the right training and software, including the Paubox email suite. 

The big picture

Michigan Medicine believes the risk of identity or medical theft is low, but as a precaution, impacted individuals should still monitor their medical insurance statements. 

Although the disclosure technically wasn’t of PHI, research organizations need to maintain high data security standards, which can help improve trust and ensure information isn’t misused. Even when a breach or disclosure isn’t a HIPAA violation, notifying patients and relevant governing authorities is still a meaningful way to increase transparency and ensure accountability. 

FAQs

Is research study information considered protected health information (PHI)?

If a research study is considered to involve health information and is linked to a health service event, it is considered PHI. If it is not linked to health services, as in this instance, the information is not considered PHI but is still subject to human subject protections. 

Did this disclosure get reported to the Department of Health and Human Services (HHS)?

No, because this incident didn’t involve PHI, it did not need to be disclosed to the HHS.