DETROIT – The personal health information of more than 18,000 patients was illegally viewed or stolen during a data breach at Henry Ford Health System, the company said.
Henry Ford Health System is one of Metro Detroit's largest health care and emergency room providers.
Someone illegally gained access to the personal health information of 18,470 patients, the company said. It's unclear if the information was used for "inappropriate purposes."
Henry Ford Health System first learned of the incident Oct. 3 after the email credentials of a group of employees were stolen. The email credentials are name and password protected by encryption, the company said.
Using the email credentials, the person could have accessed employees' email accounts, which contained patients' health information.
Henry Ford Health System said the information that might have been viewed or stolen includes name, date of birth, medical record number, provider's name, date of service, department's name, location, medical condition and health insurer.
Neither Social Security numbers nor credit card information was revealed, Henry Ford Health System said.
The company said it is strengthening its security protections for employees to reduce the risk of another data breach.
Patients can request new medical record numbers for protection, the company said.
Here is the full statement from Henry Ford Health System:
"Henry Ford Health System is notifying 18,470 patients whose personal health information was viewed or stolen by someone who gained access to it illegally. It is not clear whether this information was used for any inappropriate purposes.
"We are very sorry this happened. We take very seriously any misuse of patient information, and we are continuing our own internal investigation to determine how this happened and to ensure no other patients are impacted.
"We first learned of the incident on Oct. 3, 2017 after someone gained access to or stole the email credentials of a group of employees. The email credentials are name and password protected by encryption. Using the email credentials, the person(s) would have had access to the email accounts of the employees. Contained in the email accounts were patient health information.
"Like other health organizations, our providers share encrypted email messages to ensure patient care is seamless.
"The patient information viewed or taken may have included their name, date of birth, medical record number, provider’s name, date of service, department’s name, location, medical condition and health insurer. Neither their Social Security number nor credit card information was revealed.
"To reduce future risk of this happening again, we are strengthening our security protections for employees, all of whom will be educated about this measure in the coming weeks. In addition, we are expediting our initiatives around email retention and multi-factor authentication, which will decrease future risks to our patients and employees. To provide protection to our patients, new medical record numbers will be issued upon request.
"Patients who received a notification letter are asked to call 844-327-2396."