(WWJ) - A cybersecurity breach at a third-party health management platform exposed the information of more than one million patients at a local health system, the Michigan Attorney General said.
HealthEC LLC, which provides services for Corewell Health’s southeastern Michigan locations, has had a cybersecurity breach. HealthEC is a vendor which provides services to “identify high-risk patients, close gaps in care and recognize barriers to optimal care” to Corewell Health, officials said.
Affected people were mailed a letter regarding the breach on Dec. 22.
Impacted data may include a patient’s name, address, date of birth, Social Security number, medical record number, medical information, including diagnosis, diagnosis code, mental or physical condition, prescription information and provider’s name, health insurance information which includes beneficiary number, subscriber number, Medicaid and/or Medicare identification number and billing and claims information, which includes patient account number, patient identification number and treatment cost information.
Not all information may be impacted for each person.
“Health information is some of the most personal information we have,” Michigan Attorney General Dana Nessel said. “Michigan residents have been subjected to a surge of healthcare-related data breaches and deserve robust protection. It is critical that the Michigan legislature join the many other states that require companies who experience a data breach to immediately inform the Department of Attorney General.”
Corewell Health announced a data breach at Welltok Inc, a software company that handles communications services for the health system, in November. That data breach also impacted one million Michigan patients, officials said.
McLaren Health Care and the University of Michigan health system also faced cyberattacks in 2023.
Nessel’s office said Corewell Health notified them about the breach prior to making a public announcement. It is not currently required by law in Michigan, and Nessel’s office said they often find out when there is a media report.
Beaumont ACO has a separate contract with HealthEC, and a small number of people were also impacted by the breach. Two separate notices are being sent out, and some impacted patients may receive two letters.
Some Corewell patients may receive two letters due to the impact of this breach, which may cause confusion,” Nessel said. “Irrespective of how or when you’ve been impacted by a security breach, my Department stands ready to help Michigan residents protect their identities and personal information.
HealthEC is offering impacted patients 12 months of credit monitoring and identity protection services through TransUnion. Information on the enrollment process will be mailed to potentially impacted patients, officials said.
People can call 833-466-9216 for additional information.
Data Breaches: What to do Next has additional information for individuals.
The Consumer Protection Team can be contacted at 517-241-3771, Toll Free at 877-765-8388. Their address is P.O. Box 30213, Lansing, Mich. 48909. There is also a form available