More than 1 million patients at Corewell Health may have had their information exposed as the health system's population health management vendor, HealthEC, experienced a data breach, Michigan Attorney General Dana Nessel said Dec. 26.
A small number of patients were also affected through Beaumont ACO, which has a separate contract with HealthEC.
HealthEC sent affected patients letters about the breach Dec. 22. Exposed patient information may include names, addresses, dates of birth, Social Security numbers and medical information such as diagnoses, prescriptions and health insurance account details. The company is offering patients 12 months of credit monitoring and identity protection services through TransUnion.
"Upon learning of the suspicious activity, we moved immediately to investigate and respond," HealthEC said in a Dec. 22 statement on its website. "The investigation included confirming the security of our network, reviewing the relevant files and systems, notifying potentially affected business partners/customers, and notifying federal law enforcement. As part of our ongoing commitment to your privacy and the security of information in our care, we are also reviewing our existing policies and procedures."
The breach comes about a month after another Corewell vendor, Welltok, disclosed it was targeted in the massive MOVEit breach. Welltok offers patient communication services to Grand Rapids and Southfield, Mich.-based Corewell Health and operates a wellness portal for Priority Health, the health system's health plan. Health records of around 1 million patients and about 2,500 Priority Health members were potentially exposed in the breach.
Editor's note: Becker's has reached out to Corewell for comment and will update this article if more information becomes available.