Email Cyber Attack Leads to 18,500 Patients’ PHI Exposed

by | Dec 11, 2017

The  Henry Ford Health System has started alerting almost 18,500 patients that some of their protected health information may have been been accessed by an unauthorized person.

The breach was found on October 3, 2017 when unauthorized access to the email accounts of several employees of the Detroit-based group was detected. While protected health information was possibly accessed or stolen, the health system’s EHR system was not compromised at any time.All data was limited to the compromised email accounts.

It is currently unclear specifically how access to the email accounts was obtained. Normally, breaches such as this are phishing attacks, where multiple emails are sent to healthcare staff that fool them into disclosing their login details. An internal investigation into the breach is underway to determine the cause of the attack and how the login credentials of some of its workers were stolen.

Henry Ford Health System has completed an examination of all emails in the accounts and has determined that 18,470 patients have been affected. The emails included a range of information on patients including names, medical record numbers, dates of birth, provider’s name, department’s name, location, dates of service, medical diagnoses, and the identity of health insurers. Each patient affected by the breach had some or all of the above information obtained. Financial data and Social Security numbers were not included in any of the compromised email accounts.

At this stage in the review it is unclear whether the person who accessed the accounts viewed or stole any data. and whether any of the PHI has been used for ill means.

Henry Ford Health System stated, “We take very seriously any misuse of patient information, and we are continuing our own internal investigation to determine how this happened and to ensure no other patients are impacted. To reduce future risk of this happening again, we are strengthening our security protections for employees, all of whom will be educated about this measure in the coming weeks.”

Henry Ford Health System will also be looking over its policies on email retention and the use of two-factor security authentication.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy