The Detroit-based Henry Ford Health System has issued notifications to almost 18,500 patients that some of their PHI has potentially been seen by an unauthorized person.
The PHI breach was discovered on October 3, 2017 when unauthorized access to the email accounts of several members of staff was detected. While protected health information was possible accessed or stolen, the health system’s EHR system was not accessed at any point. All data was restricted to the compromised email accounts.
At present it is unclear exactly how access to the email accounts was obtained. Normally, breaches such as this include phishing attacks, where multiple emails are sent to healthcare workers that trick them into disclosing their login details. An internal review into the breach is underway to determine the cause of the attack and how the login details of some of its employees were illegally taken.
Henry Ford Health System has completed a review of all emails in the accounts and has found that 18,470 patients have been affected. The emails included a range of information on patients including names, medical record details, dates of birth, provider’s name, department’s identity, location, dates of service, medical diagnoses, and the name of health insurance companies. Each patient affected by the breach had some or all of the above information accessed. Financial data and Social Security numbers were included in any of the accessed email accounts.
At this stage in the review it is unclear whether the person who breached the accounts viewed or stole any PHI, and whether any of the PHI has been used inproperly.
A media statement issued by Henry Ford Health System said, “We take very seriously any misuse of patient information, and we are continuing our own internal investigation to determine how this happened and to ensure no other patients are impacted,” and “To reduce future risk of this happening again, we are strengthening our security protections for employees, all of whom will be educated about this measure in the coming weeks.”
Henry Ford Health System will also be reconsidering its policies on email retention and the use of two-factor authentication as additional security measures.