Detroit, Mich.-based Henry Ford Health System is notifying 18,470 patients whose protected health information may have been compromised after someone gained illegal access to employees' email credentials, a hospital spokesperson confirmed to Becker's Hospital Review.
Henry Ford first learned of the incident Oct. 3, when someone gained access to or stole email credentials belonging to a group of employees. Using the email credentials, which are name and password protected by encryption, the individual, or group of individuals, would have access to employees' email accounts containing patient health information.
Henry Ford believes this individual viewed or took patients' names, dates of birth, medical record numbers, providers' names, dates of service, departments' names, locations, medical conditions and health insurer information. No Social Security numbers or credit card information was included in the compromised email accounts.
"We are very sorry this happened. We take very seriously any misuse of patient information, and we are continuing our own internal investigation to determine how this happened and to ensure no other patients are impacted," reads a hospital statement.
The hospital notes it is strengthening its security protections and expediting its initiatives around email retention and multi-factor authentication to reduce future risks to patients and employees. It is also issuing new medical record numbers to patients upon their request.
More articles on cybersecurity:
Researchers warn hacked IV pumps could lead to data breaches
AHA rolls out webinar series addressing cybersecurity
10 biggest malware campaigns & high-profile cyberattacks of 2017