Corewell Health security breach

The Michigan Attorney General's Office said Tuesday that a cybersecurity breach incident involving a Corewell Health vendor affected more than one million state residents. This is the second accident of this type to affect a company contracted by Corewell, according to authorities.

Details of the incident on HealthEC and information compromised

The security incident occurred at HealthEC, a population health management platform that provides services to Corewell facilities in southeast Michigan to monitor at-risk patients and improve care. The compromised data includes sensitive information such as name, address, date of birth, Social Security number, medical record number, mental and physical health information, prescription data, and other healthcare identifiers.

Responding to data breach notifications

Notification letters to individuals affected by the incident were sent on December 22. You will also be provided with instructions on how to obtain free identity protection and credit monitoring services for 12 months, offered by HealthEC. A narrow portion of individuals were also impacted through Beaumont ACO, which has a separate contract with HealthEC.

Reaction from the Michigan Attorney General's Office

“Some Corewell patients may receive two letters due to the fallout from this incident, which can be confusing,” Nessel commented. “Regardless of how or when you have been affected by a security breach, my office is prepared to provide assistance to Michigan residents to protect their identity and personal information.” He also stressed the importance of the Michigan legislature adopting more stringent measures, similar to those already in place in other states, to protect the health data of the state's residents.