Henry Ford Health System, a six-hospital delivery system serving metropolitan Detroit, has begun notifying 18,470 patients following a hacking attack.

The organization on October 3 learned that one or more unknown attackers gained access to or stole the email credentials of a group of employees; the emails also contained protected health information.

Using the email credentials, the perpetrators would have had access to the email accounts of the employees, the health system said in a notice to media outlets.

Also See: 8 steps for protecting health data when employees leave

Compromised information may have included patient names, dates of birth, medical record numbers, provider names, dates of service, department names, locations, medical conditions and health insurers. However, Social Security numbers and credit card information were not compromised.

“To reduce future risk of this happening again, we are strengthening our security protections for employees, all of whom will be educated about this measure in the coming weeks,” a public statement by Henry Ford indicated.

“In addition, we are expediting our initiatives around email retention and multi-factor authentication, which will decrease future risks to our patients and employees. To provide protection to our patients, new medical record numbers will be issued upon request,” the announcement indicated.

The impacted patients are not receiving identity monitoring services as their exposure was not of a financial nature, according to a spokesperson at Henry Ford Health System.