February 23, 2020

February 21, 2020

Subscribe to Latest Legal News and Analysis

February 20, 2020

Subscribe to Latest Legal News and Analysis

Investigation Continues After Massive Data Breach at Henry Ford Health System

An unknown hacker gained access to 18,470 patients’ personal health information via employee emails at Detroit-based Henry Ford Health System (HFHS).

According to the press release, HFHS first learned of the incident on October 3, 2017, after becoming aware that the email credentials of a group of employees were compromised.  Even though the emails were name and password protected by encryption, they remained vulnerable to such illegal access.  The email accounts contained patient health information, including:

  • Patient name
  • Date of birth
  • Medical record number
  • Provider’s name
  • Date of service
  • Department’s name
  • Location
  • Medical condition
  • Health insurer

HFHS will continue with its own investigation to assess whether the hacker used the illegally obtained personal health information for inappropriate purposes.  HFHS also plans to strengthen its security protections for its employees by rolling out an education incentive in the coming weeks. HFHS added, “[W]e are expediting our initiatives around email retention and multi-factor authentication, which will decrease future risks to our patients and employees.  To provide protection to our patients, new medical record numbers will be issued upon request.”

As a reminder, covered entities must notify the Secretary of the U.S. Department of Health and Human Services, the affected individuals, and the media whenever a data breach affects the personal health information of 500 or more individuals, without unreasonable delay and in no case later than 60 days following a breach.  Covered entities must also provide each affected individual with steps they should take to protect themselves from potential harm, how the covered entity is mitigating the harm and its plans to prevent further breaches, among other things.

© 2020 Faegre Drinker Biddle & Reath LLP. All Rights Reserved.


About this Author

Sumaya Noush, Drinker Biddle Law Firm, HealthCare Attorney

Sumaya Noush counsels health care clients on strategic and operational matters including transactions, corporate governance, and regulatory compliance. She helps her clients navigate the daily challenges of running their operations while identifying opportunities for growth in today’s rapidly evolving and highly competitive health care market.

Sumaya previously served as a law clerk for Drinker Biddle, an instructor at Yale’s Bioethics Institute where she taught a seminar on FDA law and medical ethics, and a Visiting Scholar at...