An unknown hacker gained access to 18,470 patients’ personal health information via employee emails at Detroit-based Henry Ford Health System (HFHS).

According to the press release, HFHS first learned of the incident on October 3, 2017, after becoming aware that the email credentials of a group of employees were compromised. Even though the emails were name and password protected by encryption, they remained vulnerable to such illegal access. The email accounts contained patient health information, including:

  • Patient name
  • Date of birth
  • Medical record number
  • Provider’s name
  • Date of service
  • Department’s name
  • Location
  • Medical condition
  • Health insurer

HFHS will continue with its own investigation to assess whether the hacker used the illegally obtained personal health information for inappropriate purposes. HFHS also plans to strengthen its security protections for its employees by rolling out an education incentive in the coming weeks. HFHS added, “[W]e are expediting our initiatives around email retention and multi-factor authentication, which will decrease future risks to our patients and employees. To provide protection to our patients, new medical record numbers will be issued upon request.”

As a reminder, covered entities must notify the Secretary of the U.S. Department of Health and Human Services, the affected individuals, and the media whenever a data breach affects the personal health information of 500 or more individuals, without unreasonable delay and in no case later than 60 days following a breach. Covered entities must also provide each affected individual with steps they should take to protect themselves from potential harm, how the covered entity is mitigating the harm and its plans to prevent further breaches, among other things.