Attorney General Dana Nessel announced Tuesday that more than 1 million Michigan residents were affected by a cybersecurity breach at HealthEC LLC, a partner of Corewell Health Centers in southeastern Michigan.
Nessel’s office said HealthEC mailed letters to those affected on Friday. Potentially vulnerable personal information includes name, address, date of birth, social security number, medical record number, medical diagnoses, diagnosis codes, mental and physical conditions, prescription information, health care provider name, and health insurance. information, billing and billing information.
This is the second cyberattack the state’s largest health care system, Corewell Health, has announced in recent months. In November, Corewell announced that a cyber attack on Weltok, the software company that contracts with Corewell, had compromised the personal information of 1 million patients in Michigan.
Currently, health systems are not required to alert the attorney general’s office before disclosing cybersecurity breaches, and states often learn about cybersecurity breaches through the media, it said in a news release.
“Michigan residents are facing a surge in healthcare data breaches and deserve strong protections,” Nessel said in a news release. “It is important that the Michigan Legislature joins many other states in requiring companies that experience data breaches to immediately notify the attorney general.”
A previous breach, unrelated to the one Nessel announced Friday, occurred in May when an unauthorized attacker gained access to data stored by Welltok. Welltok also offers a health lifestyle portal for Corewell’s health insurance plan, Priority Health.
The hackers gained access to Welltok’s MOVEit Transfer server, a platform used to exchange files and data, the company said in a statement. The breach occurred on May 30th and data was leaked from the server.