[BreachExchange] Nearly 20, 000 patients compromised by Henry Ford Health System data breach

Destry Winant destry at riskbasedsecurity.com
Thu Dec 7 01:06:46 EST 2017 

https://www.freep.com/story/news/local/michigan/detroit/2017/12/06/henry-ford-hospital-data-breach/926163001/

Henry Ford Health System announced this week a data breach of health
information that involves nearly 20,000 patients. It is "unclear" if
any of the compromised information has been used "inappropriately."

"We are very sorry this happened. We take very seriously any misuse of
patient information, and we are continuing our own internal
investigation to determine how this happened and to ensure no other
patients are impacted," the hospital wrote in a news release this
week, noting that they learned of the incident on October 3 after the
e-mail credentials of a group of employees were also compromised.

"... Someone gained access to or stole the e-mail credentials of a
group of employees," a release on the breach stated, explaining that
patient health information was inside of these employee e-mail
accounts.

It is still unclear if any of the information that was "viewed or
stolen" has been used for any inappropriate use, the hospital stated
adding that Social Security numbers and credit card info was not
included in the data breach. What was compromised was information such
as patient names, birthdates, medical record numbers, provider names,
dates of service, department names, locations, medical conditions and
health insurers. A total of 18,470 patient's information was
compromised.

"To reduce future risk of this happening again, we are strengthening
our security protections for employees, all of whom will be educated
about this measure in the coming weeks," the hospital stated, adding
that they are moving forward with initiatives dealing with e-mail
retention and multi-factor authentication.

This is not the first time a Detroit-area hospital has undergone a
data breach. In July Detroit Medical Center announced the
compromisation of health information that involved about 1,500
patients seen at one of its facilities in 2015 and 2016. In that case
a staffing agency contracted by DMC had told the hospital that one of
its employees had provided the information to unauthorized people who
weren’t affiliated with the DMC organization.

In the case of Henry Ford Health System, the hospital will issue new
medical record numbers upon request.

More information about the BreachExchange mailing list