Data Breaches Announced by Corewell Health & Rocky Mountain Care
Rocky Mountain Care in Utah has announced a January 2026 data breach, and Corewell Health in Michigan has confirmed that more than 19,000 patients have been affected by a data breach at business associate Pinnacle Holdings.
Corewell Health, Michigan
Corewell Health, a non-profit Michigan health system, has recently confirmed that the protected health information of more than 19,000 of its patients has been exposed in a data breach at one of its business associates, Colorado-based Pinnacle Holdings, LTD. Pinnacle Holdings, a provider of consulting services, experienced a network disruption on November 25, 2024, that affected some of its IT systems, including systems containing the protected health information of patients of its clients.
Pinnacle Holdings said immediate action was taken to secure its systems; however, the detailed data review has taken many months to complete due to the complexity of the impacted data. The company has now confirmed that patient names, phone numbers, birth dates, Social Security numbers, driver’s license numbers, health insurance information, prescription information, and dates of service were compromised. The affected Corewell Health patients have been offered complimentary credit monitoring and identity theft protection services, and Pinnacle Holdings has implemented additional safeguards to prevent similar incidents in the future.
The data breach at Pinnacle Holdings affected several of the company’s clients, including the Chicago-based Catholic health system, CommonSpirit Health, as previously reported by The HIPAA Journal. It is currently unclear how many clients were affected in total or the number of individuals whose data was compromised in the incident.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Rocky Mountain Care, Utah
Rocky Mountain Care, a Woods Cross, Utah-based provider of skilled nursing care and home health services to seniors in Utah and Wyoming, has announced a January 2026 cybersecurity incident that involved unauthorized access to parts of its network that contained patient information. The forensic investigation determined that a hacker gained access to files on its network between January 30, 2026, and February 2, 2026. The review of the impacted data is ongoing, so the full impact of the incident has yet to be determined. Rocky Mountain Care said notification letters will be mailed to the affected individuals when the review is concluded
While further details about the attack have not been disclosed, a threat actor has claimed responsibility for the incident. The Qilin threat group added Rocky Mountain Care to its dark web data leak site on February 23, 2026, and issued a ransom demand along with a threat to publish the stolen data if the ransom was not paid. Samples of data allegedly stolen in the attack were also added to the listing. Qilin claimed to have exfiltrated 33 GB of data in the attack and later published the stolen data, indicating the ransom was not paid.
