The Michigan healthcare organization recently notified patients of the breach.
What happened
Cherry Street Services, also known as Cherry Health, is a nonprofit healthcare organization based in Grand Rapids, Michigan. The organization is Michigan’s largest Federally Qualified Health Center (FQHC) and operates in six counties across the state, with 20 locations. The organization provides primary care, dental, vision, behavioral health, pharmacy services, and more to underserved communities.
The nonprofit faced a ransomware attack in 2023, exposing the personal data of nearly 185,000 individuals.
Going deeper
According to its regulatory filing on April 16th, 2024, the breach initially occurred on December 21st, 2023, and resulted in a network disruption that impacted its ability to operate certain systems.
Upon discovering the breach, Cherry Health immediately began an investigation with the assistance of a third-party organization, which determined that some data was accessed.
The company said the investigation was completed on March 25th and Cherry Health began to work on notifying patients soon after.
The filing stated information potentially stolen included names, addresses, phone numbers, dates of birth, health insurance information, health insurance and patient ID numbers, diagnosis/treatment information, financial account information, and Social Security numbers.
Cherry Health is providing impacted individuals with complimentary credit monitoring and identity protection services for 12 months.
What was said
In an online notice, the company said they are “not aware of any evidence that any information has been misused as a result of this cybersecurity incident.”
In their sample letter to impacted patients, Cherry Health also said, “We have implemented additional technical safeguards to further enhance the security of data we maintain and to prevent something similar from happening in the future.”
Why it matters
While the attack was filed as a ransomware incident, Cherry Health has not commented on the specifics of the breach and no ransom organization has claimed the attack.
For Cherry Health, the attack took several months to investigate. Generally, HIPAA requires healthcare organizations to disclose attacks to impacted patients within 60 days. Some breaches are not caught in time or notifications are delayed for other reasons.
It’s unclear why the investigation took several months or if Cherry Health has fully resolved this issue. In time, the healthcare organization may reveal more information.
Related: HIPAA Compliant Email: The Definitive Guide
Abby Grifno
