Health data for more than 18,000 patients from the Henry Ford Health System was either viewed or stolen.
Henry Ford is notifying 18,470 patients that they may have been affected by the breach after learning in October that someone had either gained access to or stolen email credentials for some of its employees, the system said in a statement emailed to FierceHealthcare.
The Detroit-based organization said it is not clear whether the data was taken for potentially-harmful purposes. Information that was accessed included names, dates of birth and medical information, but neither Social Security numbers nor credit card information was accessed.
"We are very sorry this happened," the system said in the statement. "We take very seriously any misuse of patient information, and we are continuing our own internal investigation to determine how this happened and to ensure no other patients are impacted."
RELATED: 5 ways to prevent internal health data breaches
Henry Ford said it will strengthen security protocols for its employees and will conduct training to reinforce security best practices. It will also push for more multifactor authentication to better protect patient data. Patients impacted by the breach will be issued new patient numbers upon request, the system said.
Though outside breaches are what most would think of as a cyberattack, healthcare information technology executives actually think that employees pose the greater threat. Nearly half (46%) of respondents to a recent survey said that staff members have a lack of awareness around cybersecurity, and organizational cultures rarely emphasize it.
RELATED: The healthcare data breach that took 14 years to uncover
"The human factor is the hardest part," Tallahassee Memorial Healthcare CIO Don Lindsey told FierceHealthcare in a recent interview. "You’re only good as good as your security awareness training program."
In February, for example, the number of overall data breaches decreased from the month before, but 60% of breaches from February were related to insider threats. In some cases, healthcare organizations failed to recognize the breach for as long as five years.