Data breach may affect up to 1 million Corewell Health patients

By: Brendan Losinski | Metro | Published December 27, 2023

Shutterstock image


LANSING — Just weeks after the announcement of a potential data breach of patients at Corewell Health, Michigan Attorney General Dana Nessel is warning Michigan residents of another.

A cybersecurity breach at HealthEC, LLC, a population health management platform that provides services to Corewell Health’s southeastern Michigan properties, has reportedly affected more than one million Michigan residents according to the office of the Michigan Attorney General.

HealthEC is a Corewell Health vendor providing services to “identify high-risk patients, close gaps in care and recognize barriers to optimal care,” said Nessel’s office. Notice letters were mailed to impacted persons by HealthEC on Dec. 22, 2023.

While Nessel’s office said that not all persons have the same impacted data, the impacted data can include: name; address; date of birth; Social Security number; medical record number; medical information, such as diagnosis, diagnosis code, mental/physical condition, prescription information, and provider’s name; health insurance information, including beneficiary number, subscriber number, Medicaid and/or Medicare identification number; billing and claims information, including patient account number, patient identification number, and treatment cost information.

“Health information is some of the most personal information we have,” Nessel said in a press release. “Michigan residents have been subjected to a surge of healthcare-related data breaches and deserve robust protection. It is critical that the Michigan legislature join the many other states that require companies who experience a data breach to immediately inform the Department of Attorney General.”

Just last month, Corewell Health announced a data breach at Welltok, Inc., a software company contracted by Corewell to provide communications services which also impacted one million Michigan patients. Earlier this year, Attorney General Nessel notified Michigan residents about a ransomware attack affecting 2.5 million McLaren Health Care patients. Similarly, the University of Michigan faced a cyberattack in late August, leading to the compromise of personal information, including Social Security numbers, driver’s licenses or other government-issued ID numbers, and medical records.

Corewell Health contacted the Department of Attorney General ahead of their public announcement about this most recent breach; however, that is not currently required by Michigan law. The department said they often learns about data breaches through media reports.

HealthEC is offering 12 months of credit monitoring and identity protection services through TransUnion. Information on how to enroll will be mailed directly to potentially impacted patients. For additional information, consumers can call 1-833-466-9216 toll-free.

A smaller number of individuals were also impacted through Beaumont ACO. Beaumont ACO has a separate contract with HealthEC. Because of this, two separate patient notices are going out, and impacted individuals may receive two notice letters. Corewell Health has advised that impacted data is the same for both Beaumont ACO and Corewell Health.

“Some Corewell patients may receive two letters due to the impact of this breach, which may cause confusion,” Nessel wrote. “Irrespective of how or when you’ve been impacted by a security breach, my department stands ready to help Michigan residents protect their identities and personal information.”

To file a complaint with the Attorney General’s office, call (517) 335-7599.