A second breach of a Michigan health system this year has exposed more than 1 million patients' personal and medical information, state officials announced Tuesday.
The cyberattack hit HealthEC, a health management technology company that provides services to Corewell Health's southeastern Michigan properties.
Michigan Attorney General Dana Nessel's office said it mailed notice letters to affected patients on Dec. 22, but it's not clear which data was stolen from each impacted person.
In announcing the breach, she said the exposed information could include names, addresses, birth dates, Social Security numbers, medical records, including diagnoses, health insurance information, billing information and more.
Patients affected by the most recent HealthEC breach are eligible for 12 months of free credit monitoring and identity protection services through TransUnion. Information on how to enroll will be mailed directly to potentially impacted patients, Nessel's office said.
Data breach? Here's what you should do immediately
Millions of people a year are impacted by data breaches. Here is what you should do the next time you receive a letter that you were affected.
Corewell Health reported the breach to state officials before publicly announcing it, though Michigan law doesn't require the notification. But Nessel is hoping to change that law, as this was the second data breach Corewell Health has reported to her office in the past two months.
Just last month, a software company that provides communication services to Corewell Health, Welltok, Inc., was also affected by a breach affecting more than 1 million patients. Plus, 2.5 million McLaren Health Care patients were affected by a ransomware attack earlier this year.
"Health information is some of the most personal information we have," Nessel said. "Michigan residents have been subjected to a surge of healthcare-related data breaches and deserve robust protection. It is critical that the Michigan legislature join the many other states that require companies who experience a data breach to immediately inform the Department of Attorney General."
But Michigan's health care systems aren't the only spots getting hard hit by cybersecurity attacks this year.
More than 540 organizations and 112 million people were implicated in health care breaches in 2023, according to the Health and Human Services Office of Civil Rights. Last year, 590 health organizations reported data breaches, but in comparison, 48.6 million individuals were impacted.