Marquette County Medical Care Facility Data Breach Caused by HR Email Compromise

• Marquette County Medical Care Facility (MCMCF) experienced a data breach on March 3, 2025
• It was caused by a business email compromise in its HR department
• The breach exposed Personally Identifiable Information (PII) and Protected Health Information (PHI)

In response to a data privacy incident, Marquette County Medical Care Facility (MCMCF) issued a press release notifying of a potential data breach. The healthcare provider located in Ishpemig, Michigan, discovered a data breach on March 3, 2025. 

Hackers first accessed the Human Resources director’s account, following which they sent phishing emails to the director’s contacts. The MS Office 365 account breach led to the compromise of personally identifiable information (PII).

The information included names, Social Security numbers, dates of birth, protected health information (PHI), and bank details. The breach is considered severe due to the nature of the information exposed to hackers and the method involved in it, a Claim Depot report added.

The Marquette County Medicare Facility data breach is under investigation by Shamis & Gentile P. A that urged affected individuals to opt for identity theft protection services, and to monitor each of their account activities for fraudulent transactions.

MCMCF assured that they enabled multi-factor authentication on the affected account and terminated all active logins to curb further damage. This incident, while stemming from an IT system compromise (HR email), highlights the ongoing and complex cybersecurity challenges within the broader healthcare sector.

This context is further underscored by recent developments in securing medical product manufacturing. In a related development, the FDA recently published a white paper emphasizing the critical importance of integrating robust cybersecurity measures into the advanced and smart technologies utilized for manufacturing medical products.

The white paper notes that manufacturing infrastructure increasingly incorporates numerous connected devices, known as Operational Technologies (OT), which have historically been designed with a primary focus on consistent functionality rather than comprehensive cybersecurity. 

This prioritization can make it difficult to ascertain when, where, and how network communications occur, potentially increasing the risk of cyberattacks.

Furthermore, commercially available manufacturing equipment may not inherently comply with national and international cybersecurity standards and best practices, necessitating meticulous system design and configuration by manufacturers. 

The FDA underscores that making state-of-the-art cybersecurity standards an integral part of industry best practices for manufacturers will reduce the vulnerability of U.S. medical production and its supply chain.

Elaborating on medical device security, Nivedita Murthy, Senior Staff Consultant at Black Duck, explained, "Many medical devices use vulnerable legacy protocols. Upgrading is complex. Digitalization demands security-by-design, with manufacturers prioritizing new security methods and adhering to standards like FIPS."

Meanwhile, Agnidipta Sarkar, Chief Evangelist at ColorTokens, expressed concern on regulatory guidance, stating, "FDA guidance since 2005 focuses on cybersecurity-by-design for medical devices. However, many fail to implement essential visibility and control over traffic and lateral movement, which is crucial for protecting critical assets and communications vital for saving lives."

Nathaniel Jones, Vice President of Threat Research at Darktrace, weighed in on IT/OT convergence, observing, "As OT integrates with IT, attack opportunities increase. Strong OT security needs robust IT security and team coordination. Organizations can improve defense through good cyber hygiene and proactively addressing vulnerabilities."

Furthermore, John Gallagher, Vice President at Viakoo, discussed new requirements for business lines, noting, "The shift to targeting IoT/OT devices introduces new security demands for non-IT lines like manufacturing and healthcare. Employers will prioritize securing these devices and recruiting security professionals who can operate outside traditional IT as threats become more cyber-physical."