A phishing attack on an employee's email is the source of a potential data breach affecting 16,000 patients of a Michigan practice.

On July 14, an unauthorized individual gained access to the email account of an employee of Oakland Family Services, a nonprofit human and health services organization based in Pontiac.

The organization learned of the attack the same day. There was no infiltration of the EMR databases, or any other agency email accounts or databases, according to a release. The "rogue user" had access to the account for 23 minutes.

The email account contained protected health information including names, client ID numbers, services dates and types of service provided. Some emails also included birth dates, telephone numbers, addresses, diagnoses, health plan ID numbers, insurance numbers and Social Security numbers.

The incident affects clients seen between April 2007 and July 2015. 

The agency said it immediately terminated the hacker's access to the email account upon learning of the incidence. "We took action within 15 minutes of the intruder gaining access to block him or her from the affected email account and based on this incident, even stronger email protocol has been implemented," said David Partlo, the organization's director of IT.