Records of patients at Henry Ford Hospital in Detroit and other Henry Ford Health System facilities were compromised in early October.
More than 18,000 Henry Ford Health System patients' personal health information was viewed or stolen in early October by an unknown person or entity who hacked the Detroit-based health system's electronic health records.
HFHS officials said it is not clear whether the 18,470 patient files have been used for inappropriate purposes.
"We are very sorry this happened. We take very seriously any misuse of patient information, and we are continuing our own internal investigation to determine how this happened and to ensure no other patients are impacted," Henry Ford said in a statement.
Henry Ford said it first learned of the incident Oct. 3 after someone gained access to or stole the email credentials of a group of employees. The employee credentials are name- and password-protected by encryption. The email accounts had patient health information.
Like other health organizations, Henry Ford providers share encrypted email messages to ensure patient care is seamless, the statement said.
Over the past several years, hospitals and health insurers in Michigan and other states have been subject to loss of patient data through hacking or stolen laptops. For example, Detroit Medical Center in July warned 1,529 patients of a systemwide breach of protected health information.
In 2010, Henry Ford experienced a patient data breach when a laptop containing personal health information was stolen from an unlocked office.
Federal law requires healthcare organizations to notify patients within 60 days of a data breach.
Henry Ford said patient information viewed or taken may have included their name, date of birth, medical record number, provider's name, date of service, department's name, location, medical condition and health insurer. Social Security numbers or credit card information were not compromised, HFHS said.
"To reduce future risk of this happening again, we are strengthening our security protections for employees, all of whom will be educated about this measure in the coming weeks," the statement said.
"In addition, we are expediting our initiatives around email retention and multi-factor authentication, which will decrease future risks to our patients and employees."
Henry Ford said patients can request new medical record numbers.