Beaumont Health has notified about 6,000 patients that their personal health information may have been stolen by an unauthorized person gaining access to employee email accounts.
On July 28, Southfield, Mich.-based Beaumont informed the patients of the "data security incident," which it said involved less than 0.3% of the eight-hospital system's 2.3 million patients.
"Upon learning of this issue, Beaumont promptly disabled the accessed email accounts and required mandatory password resets to prevent further misuse. Beaumont immediately launched a prompt and thorough investigation, working closely with external cyber security professionals," the health system said in a statement.
It is the second patient data breach disclosed by Beaumont in the past 12 months. Last year, cybercriminals mounted a phishing attack and may have stolen patient health and financial information on 112,000 Beaumont patients. The data breach occurred in 2019, but Beaumont reported the incident in April.
A Beaumont investigation into the most recent breach discovered that on June 5, one or more of the email accounts that were accessed between Jan. 3 and Jan. 29 contained identifiable personal and protected health information.
"Our investigation was unable to determine definitively if any information was viewed or acquired by the unauthorized third party, and Beaumont has no knowledge of any misuse of data by any unauthorized individuals," said Beaumont, adding that its electronic medical record system was not impacted by this incident and remains secure.
However, the accessed email accounts contained the personal and protected health information of certain patients, including name, date of birth, diagnosis, diagnosis code, procedure, treatment location, treatment type, prescription information, Beaumont patient account number, and Beaumont medical record number.
For more information, Beaumont has set up a toll-free response line at 844-925-2476. The response line is available Monday through Friday, 9 a.m. to 6:30 p.m.