The Henry Ford Health System announced this week that some 18,470 of its patients, had their health information either viewed or stolen.
"It is not clear," the statement on the data breach said, "whether this information was used for any inappropriate purposes."
There is no criminal investigation into the breach, said David Olejarz, a spokesman for the Henry Ford Health System.
Henry Ford Health first learned of the breach two months ago, on Oct. 3, "after someone gained access to or stole the email credentials of a group of employees," which are name and password protected. Someone who was able to access those email accounts would be gaining access to information on patients.
In the full statement, Henry Ford Health System said:
"Henry Ford Health System is notifying 18,470 patients whose personal health information was viewed or stolen by someone who gained access to it illegally. It is not clear whether this information was used for any inappropriate purposes.
"We are very sorry this happened. We take very seriously any misuse of patient information, and we are continuing our own internal investigation to determine how this happened and to ensure no other patients are impacted.
"We first learned of the incident on Oct. 3, 2017 after someone gained access to or stole the email credentials of a group of employees. The email credentials are name and password protected by encryption. Using the email credentials, the person(s) would have had access to the email accounts of the employees. Contained in the email accounts were patient health information.
"Like other health organizations, our providers share encrypted email messages to ensure patient care is seamless.
"The patient information viewed or taken may have included their name, date of birth, medical record number, provider’s name, date of service, department’s name, location, medical condition and health insurer. Neither their Social Security number nor credit card information was revealed.
"To reduce future risk of this happening again, we are strengthening our security protections for employees, all of whom will be educated about this measure in the coming weeks. In addition, we are expediting our initiatives around email retention and multi-factor authentication, which will decrease future risks to our patients and employees. To provide protection to our patients, new medical record numbers will be issued upon request.
"Patients who received a notification letter are asked to call 844-327-2396."