Michigan health system reports second data breach, affecting more than 1M patients


(NEW YORK) — A health system in Michigan has experienced its second cybersecurity breach this year, affecting more than 1 million patients, according to state officials.

Michigan Attorney General Dana Nessel announced Tuesday there was a breach at HealthEC, a vendor that provides services to Corewell Health’s southeast Michigan properties. The breach exposed patients’ personal and medical information.

HealthEC services is helping to “identify high-risk patients, close gaps in care and recognize barriers to optimal care,” according to a release.

It’s unclear what specific information was exposed but it can include name, address, date of birth, Social Security number, medical diagnoses, mental/physical condition, health insurance information, treatment cost information and billing and claims information, the release said.

Patients affected by the breach had notice letters mailed to them on Dec. 22, according to Nessel’s office.

“Health information is some of the most personal information we have,” Nessel said in a statement. “Michigan residents have been subjected to a surge of healthcare-related data breaches and deserve robust protection. It is critical that the Michigan legislature join the many other states that require companies who experience a data breach to immediately inform the Department of Attorney General.”

Corewell Health said it contacted the attorney general’s office before making a public announcement.

Last month, Corewell Health announced that vendor Welltok, experienced a data breach that led to similar personal and medical information being exposed. More than 1 million patients were impacted.

For anyone affected by the data breach, Nessel’s office recommends steps including changing passwords, contacting one’s bank or credit union and potentially putting a fraud alert on one’s credit file to prevent identify theft.

This is the latest in a series of cyberware attacks and data breaches that have been affecting health system across the U.S.

In Oklahoma, Integris Health — which offers hospitals and primary care clinics across the state — said a data breach were accessed by an unauthorized party at the end of November, according to local ABC News affiliate KOCO 5.

The health system then announced on Christmas Eve that patients were receiving messages from a group claiming responsibility for the data breach and threatening to expose the information on the dark web unless they received payment.

Capital Health — which operates hospitals in Trenton and Pennington as well as primary care offices across New Jersey — said last month it had been experiencing network outages that it believes was a “cybersecurity incident,” but was unsure if any personal information had been exposed.

Additionally, hospitals run by Ardent Health Services — including two in New Jersey — were forced to divert ambulances to other area hospitals and cancel some non-elective procedures after the organization discovered a ransomware attack on Thanksgiving Day.


Copyright © 2023, ABC Audio. All rights reserved.