Munson Healthcare is facing their second data breach in recent years.
Munson Healthcare, a Northern Michigan-based healthcare organization, recently announced a data breach in connection to a vendor used by the practice. Although the data breach has not yet been reported to the Department of Health and Human Services, a recent news report stated the incident has impacted approximately 100,000 individuals.
The notice said the breach began with Cerner, an electronic health record (EHR) vendor. The incident occurred when an unauthorized actor gained access to legacy Cerner systems that Munson utilizes, sometime on or after January 22nd, 2025.
Some patients of Munson had information accessed, including names, Social Security numbers, and patient medical records. The notice said both Munson and Cerner participated in an investigation and secured their systems. Munson offered identity protection services to victims.
Munson experienced a data breach in 2021, as well. This breach, like the one with Cerner, began with a vendor Munson used: CaptureRx. CapturerRx’s breach impacted multiple providers and the company faced a large class action lawsuit after. The suit was eventually settled for $4.75 million.
Although the breach happened a year ago, Munson has still not reported the incident to the HHS, despite a rule stating breaches impacting more than 500 people but be reported in 60 days. Cerner Corporation filed a data breach report on June 17th, 2025, but noted that the breach impacted 501 individuals. This number generally indicates an organization has not reported or determined the full scope of the breach. An updated number is generally provided to the HHS once the true victim count is known.
Organizations who are involved in multiple breaches face additional challenges, like loss of patient trust and increasing financial costs associated with updating systems, assisting in investigations, and more. Two breaches in a fairly close proximity show that Munson may need to take additional steps to ensure the business vendors they use are properly safeguarding data.
Healthcare organizations must sign a business associate agreement (BAA) with any organizations that handle PHI. These agreements should outline how the vendor will ensure the security of healthcare data. Generally, this agreement can help protect the healthcare organization from being liable for a data breach. However, if the healthcare organization was found negligent in securing the data or choosing the vendor, they could still be held somewhat responsible.
The breaches are not related, however, it is interesting that two vendors of Munson have been breached. In their notice about the Cerner breach, Munson noted it was a “legacy” system, which generally means that it is outdated. If the system is outdated, then that may increase it’s vulnerability to attack.