Another Corewell Health Business Associate Suffers Million-Record Data Breach
The Michigan Attorney General’s Office announced on Tuesday that the protected health information of more than one million Corewell Health patients had been compromised in a cyberattack on one of Corewell Health’s vendors. HealthEC provides Corewell Health with a population health management platform that is used to identify high-risk patients in southeastern Michigan to close gaps in care and identify barriers to optimal care.
HealthEC explained in its breach notification letters that suspicious activity was identified within its network and the forensic investigation determined that an unknown, unauthorized actor had access to some internal systems between July 14, 2023, and July 23, 2023. During that time, files containing protected health information were removed from its systems. HealthEC conducted a review of all files on the compromised part of the network and notified its affected clients on October 26, 2023. HealthEC then worked with those clients to issue notifications. According to the notification sent to the Maine Attorney General, HealthEC started mailing notification letters to 112,005 individuals on December 22, 2023. Some of HealthEC’s covered entity clients have opted to send notification letters themselves.
According to HealthEC, the following types of information were compromised: names, addresses, dates of birth, Social Security numbers, medical record numbers, diagnoses and diagnosis codes, mental/physical condition, prescription information, providers’ names, beneficiary numbers, subscriber numbers, Medicaid/Medicare identification numbers, patient account numbers, patient identification numbers, and treatment cost information. HealthEC has offered complimentary credit monitoring and identity theft protection services to the affected individuals for 12 months.
Data breaches at business associates of HIPAA-covered entities often affect many of their clients. Another HealthEC client known to have been affected is Beaumont ACO in Michigan. It is possible that individuals may receive two notification letters related to this incident if they have previously received services from Corewell Health and Beaumont ACO.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
This is the second major data breach to affect Corewell Health patients this year. In November, Welltok Inc., which provides patient communication services, started notifying around one million Corewell Health patients that some of their protected health information had been stolen when a zero-day vulnerability was exploited in Progress Software’s MOVEit Transfer file transfer solution. The two incidents are unrelated and were conducted by separate threat actors. Corewell Health patients had their names, dates of birth, email addresses, phone numbers, diagnoses, health insurance information, and Social Security numbers stolen by the Clop hacking group. The same breach also affected Priority Health, which is Corewell Health’s insurance plan.
“Health information is some of the most personal information we have,” said Michigan Attorney General Dana Nessel. “Michigan residents have been subjected to a surge of healthcare-related data breaches and deserve robust protection. It is critical that the Michigan legislature join the many other states that require companies who experience a data breach to immediately inform the Department of Attorney General.”