Corewell Health Vendor Breach May Affect Montcalm County Patients, Investigation Underway

A Colorado-based consulting firm that once served Corewell Health suffered a network intrusion in late 2024 that exposed the personal and medical records of roughly 19,000 Michigan patients, including those in Montcalm County. Pinnacle Holdings LTD, a vendor that previously provided health care consulting services to Corewell Health, experienced a data event in November 2024.

Pinnacle Holdings said the network disruption hit certain systems on November 25, 2024. The Colorado-based firm said it "took immediate action" to address the incident and learned during its investigation that information "may have been acquired" by an unauthorized individual.

Immediately upon notification, Corewell launched a detailed and complex data review to determine impacted individuals so that notifications could be completed as soon as possible. That data review was only recently completed, allowing Corewell to identify which patients were affected.

The scope of the stolen data is broad. Affected data varied by individual but included names, addresses, phone numbers, Social Security numbers, driver's license numbers, dates of birth, medical diagnoses, prescription information, dates of service and health insurance information. It may also include digital signatures and biometric data.

Corewell spokeswoman Sharon Stanton confirmed the company was "recently notified" of the event and launched a data review to determine who was impacted, allowing Pinnacle to mail notification letters to more than 19,000 Corewell patients as well as other affected individuals.

Pinnacle reported the breach to law enforcement and has since implemented additional safeguards. The company said it is not currently aware of any fraudulent activity tied to the incident.

Anyone who received a notification letter is being offered enrollment in Kroll credit monitoring and identity restoration services at no cost. Affected people can call a dedicated hotline at 866-686-2607 for help and are advised to monitor credit and bank statements, consider placing a fraud alert or credit freeze, and use the Federal Trade Commission's guidance at IdentityTheft.gov. Additional information is available at askphc.com.

The data breach at Pinnacle Holdings affected several of the company's clients. For Corewell, it is not the first time a vendor relationship has put patient data at risk. In late 2023, breaches at two separate contractors, Welltok and HealthEC, exposed the records of more than one million Michigan residents, drawing scrutiny from the state Attorney General's office.

Patients who have not received a letter but believe they may have been affected can reach Pinnacle Holdings directly at 866-686-2607.