The Corewell Health Data Breach Affects 1 Million Patients

Merely weeks after the announcement of a data breach at Welltok, Inc., the software company contracted to provide communications services to Corewell Health's southeastern Michigan properties, on Tuesday, December 26, 2023, Michigan Attorney General Dana Nessel issued another release claiming over 1 million patients' information was accessed due to a cyberattack at HealthEC, LLC(HealthEC). Headquartered in Edison, New Jersey, HealthEC is a population health management platform that provides services to help "identify high-risk patients, close gaps in care, and recognize barriers to optimal care." 

As mentioned, due to the recent breach, the information of 1 million Corewell patients was accessed via a third party. However, according to the Attorney General's office, not all persons involved in the breach have the same impacted data. Those affected may have a mixture of the following personal information compromised:

• Name
• Address
• Date of birth 
• Social Security number
• Medical record number 

Other patient medical information accessed in the breach includes diagnosis, diagnosis code, mental/physical condition, prescription information, and the provider's name. Victims may also have had their health insurance information accessed, including their beneficiary and subscriber numbers. Other information accessed during the breach includes patients' Medicaid or Medicare identification numbers, billing and claims information, patient account numbers, patient identification numbers, and treatment cost information.

HealthEC is offering 12 months of credit monitoring and identity protection services through TransUnion; those affected will receive a letter in the mail detailing what information was impacted and how they can enroll. If you did not receive a letter, you can learn more information on how to enroll by dialing 1-833-466-9216 toll-free. This breach has also impacted a smaller number of Beaumont ACO patients, which has a separate contract with HealthEC. 

Those affected have been sent a notice letter in the mail. Both Beaumont ACO and Corewell Health patients may receive two letters in the mail due to the similarities of the breach. Both letters will contain details on what information was accessed and suggested next steps. HealthEC has 91 employees and provides service to Corewell Health's southeastern Michigan properties.

Data Breaches Are on the Rise in 2023

Over the last year, hundreds of companies have issued notices over data breaches that have affected millions of people all over the world. An independent study conducted by Massachusetts Institute of Technology professor Dr. Stuart Madnick found proof that data breaches have become an epidemic, threatening sensitive and personal consumer data the world over. According to the study, Dr. Madnick found the total number of data breaches more than tripled between 2013 and 2022 and exposed 2.6 billion personal records in the past two years.

In Michigan alone, just earlier this year, 2.5 million McLaren Health Care patients were affected by a ransomware attack, then again in late August, the University of Michigan faced a cyberattack that exposed personal information, including Social Security numbers, driver's licenses or other government-issued ID numbers, and medical records. Other notable data breaches launched in the last year include the MOVEit file transfers and the Xfinity/Citrix breach.

Victims of a Data Breach Can Still Protect Their Information

While HealthEC is offering 12 months of credit monitoring and identity protection services through TransUnion, you can take extra steps to protect your identity after a data breach. Victims who have or have yet to have their information accessed through a data breach should monitor their personal information regularly to ensure there is no suspicious or fraudulent activity taking place. Affected individuals can monitor their own credit using online credit reporting tools provided by credit unions like Equifax and Experian, who offer one free credit check a year. 

For more frequent credit monitoring, Credit Karma allows users daily access and alerts to their accounts in case anyone fraudulently uses their details to obtain credit cards or loans. If you find fraudulent activity on your accounts, you can contact the Federal Trade Commission (FTC), your state's Attorney General's office, or law enforcement to report incidents of identity theft.

Under the Fair Credit Reporting Act, victims have the right to be told if information in their credit file has been used against them, the right to know what is in their credit file, the right to ask for their credit score, and the right to dispute incomplete or inaccurate information. To learn more information on the Fair Credit Reporting Act or what steps you can take to better protect yourself from identity theft, visit the FTC's website at www.identitytheft.gov.

Victims of a data breach should also speak with an experienced data breach attorney, who can help them understand their legal options and increase their chances of recovering the compensation they deserve after third-party hackers have stolen their private information. For more information on data breaches and how to protect your identity, or if you have been affected by the Corewell Health data breach, contact a Morgan & Morgan data breach attorney today by completing our free, no-obligation case evaluation form.