Henry Ford Health System is notifying patients that a hacker breached its system in early October and potentially viewed and stole the data of 18,470 patients.

The Detroit health system first discovered the incident on Oct. 3 when the email credentials of a group of employees were stolen, which were password protected and encrypted. With those credentials, the hacker could have accessed employee email accounts that contained patient health data.

The emails contained patient names, dates of birth, medical record numbers, provider names, dates of service, health insurer, medical conditions and locations. While the email messages were encrypted, it could have been viewed or taken if the hacker used the credentials.

[Also: The biggest healthcare breaches of 2017]

The health system is bolstering its security after the attack, including employee education. 
Further, Henry Ford Health is increasing initiatives around email retention and multi-factor authentication to “decrease future risks to our patients and employees.”

“To provide protection to our patients, new medical record numbers will be issued upon request,” officials said in a statement.

“We are very sorry this happened,” they continued. “We take very seriously any misuse of patient information, and we’re continuing our own internal investigation to determine how this happened and to ensure no other patients are impacted.”

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com