Compromised Email Accounts Exposed 18,500 Patients PHI

A PHI breach occurred at the Henry Ford Health System based in Detroit which impacted about 18,500 patients. The organization became aware of the breach on October 3, 2017. According to the report, the email accounts of a number of employees were accessed by an unauthorized individual. This allowed the potential access or stealing of protected health information of the patients. There is the assurance, however, that the data accessed are confined to the email accounts and did not include those in the EHR system of Henry Ford health system.

There is no clear information as to how email account access was obtained by the unauthorized person. It is likely that it is through a phishing attack. The healthcare employees must have received emails that tricked them to disclose their login details. The breach investigation is still ongoing to shed light on the full details of the breach incident.

Henry Ford Health System reviewed the accessed email accounts and determined that they contain the records of 18,470 patients. Some information included the patients’ names, dates of birth, medical record numbers, provider’s names, location, dates of service, department’s names, medical diagnoses and names of health insurer. Fortunately, the compromised email accounts did not contain any financial information or Social Security numbers.

There’s no indication yet whether the unauthorized person viewed or stolen the information in the accessed email accounts. No update regarding inappropriate use of the patients’ PHI is available as well. But Henry Ford Health System is serious about continuing their internal investigation to find out how the breach actually happened and to make sure that no other patients are affected. The organization also took corrective action such as reviewing email retention policies, securing employees’ accounts with two-factor authentication and giving further security training to employees in hopes of preventing future breaches.

About Christine Garcia 1304 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at