Second Corewell Health data breach exposes info of one million patients

A cybersecurity breach at HealthEC, LLC, a population health management platform that provides services to Corewell Health’s southeastern Michigan properties, has reportedly affected more than one million Michigan residents, Attorney General Dana Nessel announced.

HealthEC is a Corewell Health vendor providing services to “identify high-risk patients, close gaps in care and recognize barriers to optimal care.” Notice letters were mailed to impacted persons by HealthEC on December 22, 2023. While not all persons have the same impacted data, the impacted data can include: name; address; date of birth; Social Security number; medical record number; medical information, such as diagnosis, diagnosis code, mental/physical condition, prescription information, and provider’s name; health insurance information, including beneficiary number, subscriber number, Medicaid and/or Medicare identification number; billing and claims information, including patient account number, patient identification number, and treatment cost information.

“Health information is some of the most personal information we have,” said Michigan Attorney General Dana Nessel. “Michigan residents have been subjected to a surge of healthcare-related data breaches and deserve robust protection. It is critical that the Michigan legislature join the many other states that require companies who experience a data breach to immediately inform the Department of Attorney General.”

Just last month, Corewell Health announced a data breach at Welltok Inc., a software company contracted by Corewell to provide communications services which also impacted one million Michigan patients. Earlier this year, Nessel notified Michigan residents about a ransomware attack affecting 2.5 million McLaren Health Care patients. Similarly, the University of Michigan faced a cyberattack in late August, leading to the compromise of personal information, including Social Security numbers, driver’s licenses or other government-issued ID numbers, and medical records.

Corewell Health contacted the Department of Attorney General ahead of their public announcement about this most recent breach; however, that is not currently required by Michigan law. The Department often learns about data breaches through media reports.

HealthEC is offering 12 months of credit monitoring and identity protection services through TransUnion. Information on how to enroll will be mailed directly to potentially impacted patients. For additional information, consumers can call 1-833-466-9216 toll-free.    

A smaller number of individuals were also impacted through Beaumont ACO. Beaumont ACO has a separate contract with HealthEC. Because of this, two separate patient notices are going out, and impacted individuals may receive two notice letters. Corewell Health has advised that impacted data is the same for both Beaumont ACO and Corewell Health.

“Some Corewell patients may receive two letters due to the impact of this breach, which may cause confusion,” Nessel added. “Irrespective of how or when you’ve been impacted by a security breach, my Department stands ready to help Michigan residents protect their identities and personal information.”

The Department of Attorney General’s?Data Breaches: What to do Next alert (www.michigan.gov/consumerprotection/identity-theft/data-breaches) provides consumers with useful information about what kind of information can be accessed during a data breach.

To file a complaint with the attorney general, or get additional information, contact:
Consumer Protection Team
P.O. Box 30213
Lansing, MI 48909
517-335-7599
Fax: 517-241-3771
Toll-free: 877-765-8388
Online complaint form: https://secure.ag.state.mi.us/complaints/ consumer.aspx.