Cherry Street Services, Inc., which operates as Cherry Health, has disclosed a data privacy event involving information tied to certain current and former patients and staff members.

 

What happened

According to a notice dated June 18, 2026, Cherry Health became aware of suspicious activity on its network on or about April 19, 2026. The investigation found that an unauthorized individual accessed and copied certain information on Cherry Health’s network. Cherry Health said it is still conducting a comprehensive review to determine exactly what information was involved and to whom it relates.

According to the notice of data privacy event, “Cherry Health is conducting a comprehensive review of the data involved, in partnership with third-party specialists, to determine which information was at issue and to whom it relates. Cherry Health will notify potentially affected individuals by written letter once the review is finalized,

 

Going deeper

Cherry Health’s latest notice should be read alongside, but not conflated with, its earlier data incident. In 2024, Cherry Health provided notice of a December 21, 2023, network disruption that led to some maintained data being accessed improperly; in its 2026 notice, the organization said suspicious network activity detected led investigators to determine that certain information on its network was accessed and copied by an unauthorized individual.

Barati and Yankson’s study provides a careful way to frame that context, noting that breach-risk analysis can “estimate the probability of the occurrence of a breach and its size using a predictive model with historical data as input.” The study shows that prior breach data can help organizations understand whether another breach may occur (by learning from the entry points used during that breach and improving security) and how large or damaging it could become. For Cherry Health, the previous disclosure should not be treated as evidence that the events are connected, but it does provide relevant context for why healthcare organizations need to make post-incident review part of ongoing risk management.

 

Why it matters

The larger issue is that healthcare organizations are operating in an environment where weak or inconsistently enforced controls can turn routine systems into recurring points of risk. Paubox’s 2026 Healthcare Email Security Report found 170 healthcare email-related breaches in 2025, with 41% of organizations assessed as high risk and 74% of breached domains lacking effective DMARC enforcement.

While Cherry Health’s notice does not identify email as the attack vector, the data points to a broader sector problem regarding security failures that often come from control gaps that are known, measurable, and correctable before patient or workforce information is compromised. For covered entities, the compliance lesson is that breach response should not stop at investigation and notification. Organizations should also use the incident to reassess access controls, audit logs, vendor oversight, employee training, and technical safeguards so the same weakness does not lead to another reportable breach.

See also: HIPAA Compliant Email: The Definitive Guide (2026 Update)

 

FAQs

What should a healthcare organization do after unauthorized access?

It should secure its systems, investigate what happened, identify the affected information, assess breach notification duties, and document its response.

 

Do business associates have HIPAA duties after unauthorized access?

Yes. A business associate must notify the covered entity if a breach occurs at the business associate or if the business associate is responsible for the breach.

 

What are the breach notification timelines under HIPAA?

Under the HIPAA Breach Notification Rule, covered entities must notify affected individuals without unreasonable delay and no later than 60 calendar days after discovering a breach of unsecured protected health information.