A health system in Michigan has recently experienced its second cybersecurity breach this year, impacting more than 1 million patients, according to state officials. The breach, which occurred at HealthEC, a vendor providing services to Corewell Health's southeast Michigan properties, has exposed personal and medical information of affected patients.

Michigan Attorney General Dana Nessel announced on Tuesday the breach at HealthEC, a vendor utilized by Corewell Health for identifying high-risk patients, closing gaps in care, and recognizing barriers to optimal care. While the specific information exposed remains unclear, it could include sensitive data such as names, addresses, dates of birth, Social Security numbers, medical diagnoses, mental/physical conditions, health insurance information, treatment cost information, and billing and claims information.

Patients affected by the breach were reportedly sent notice letters on December 22, as confirmed by Nessel's office. Health information is regarded as one of the most personal types of data, and Nessel emphasized the importance of robust protection and immediate reporting of breaches to the Department of Attorney General by companies encountering a data breach.

Corewell Health, which contacted the attorney general's office prior to making a public announcement, had also faced a data breach incident last month involving their vendor Welltok. This previous breach exposed similar personal and medical information, impacting more than 1 million patients.

This incident adds to a growing list of cyberattacks and data breaches affecting the healthcare sector across the United States. In Oklahoma, Integris Health experienced a data breach in November, with unauthorized access obtained by an external party. On Christmas Eve, patients received messages from a group claiming responsibility for the breach, threatening to expose the information on the dark web unless payment was received.

In New Jersey, Capital Health recently reported network outages believed to be a result of a cybersecurity incident, although it remains unclear if any personal information was compromised. Ardent Health Services, which operates hospitals in New Jersey, had to divert ambulances and cancel certain procedures following a ransomware attack on Thanksgiving Day.

With cyber threats becoming increasingly prevalent, it is vital for healthcare organizations to prioritize the security of patient information and promptly address any vulnerabilities to safeguard the privacy and well-being of their patients.