Henry Ford Health System in Detroit has suffered a data breach affecting 18,470 patients after someone illegally “gained access to or stole the email credentials of a group of employees.” The incident was discovered on October 3, although it is not known how the breach was exposed.
Henry Ford Health System has apologized and has launched an internal investigation.
A statement from the organization said:
The email credentials are name and password protected by encryption. Using the email credentials, the person(s) would have had access to the email accounts of the employees. Contained in the email accounts were patient health information.
The patient information viewed or taken may have included their name, date of birth, medical record number, provider’s name, date of service, department’s name, location, medical condition and health insurer. Neither their Social Security number nor credit card information was revealed.
It has not been confirmed how the email credentials were obtained or whether any of the compromised data has been used inappropriately.
In order to prevent similar incidents, security protection is being increased for employees, and email multi-factor authentication is being considered. Affected patients can request new medical numbers for extra protection.
The number of data breaches within the healthcare sector is increasing, probably because of the volume of personal data that organizations hold.
Educate your staff
Enroll your staff on our Information Security Staff Awareness E-Learning Course to reduce the likelihood of a breach by familiarizing them with security awareness policies and procedures. The course advises staff on how to avoid becoming a security liability, introducing them to your internal policies on incident reporting and responses, and provides basic knowledge of information security best practice to reduce preventable mistakes.