Cyber Incident Victim: Corewell Health
Date:
Oct 2021
Location:
United States of America
Summary
A third-party law firm's systems experienced unauthorized access, compromising personal and prescription data of approximately 120,000 members of a Michigan health plan. The exposed information included names, pharmacy and claim details, drug names, and prescription dates from historical records. The responsible firm secured its network after detecting the incident and later notified the health organization, which subsequently confirmed no evidence of data misuse. Impacted individuals received notifications and support resources. Concurrently, unrelated breaches at other healthcare entities exposed sensitive patient data such as Social Security numbers, medical histories, and financial information, though similarly without evidence of exploitation. All affected organizations implemented enhanced security measures following investigations.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On October 22, 2021, Warner Norcross & Judd (WNJ), a law firm providing services to Priority Health, detected unauthorized activity on some of its systems. WNJ immediately secured its network following the discovery but did not notify Priority Health—Michigan’s second-largest health plan serving over one million members annually—until June 6, 2022. The breach impacted approximately 120,000 Priority Health members. Investigations revealed that the unauthorized party potentially accessed first and last names, pharmacy and claim information, drug names, and prescription dates associated with certain prescriptions filled by members in 2012. Priority Health confirmed no evidence of misuse of the compromised data. WNJ assumed responsibility for notifying affected individuals and provided them with resources to address potential concerns arising from the incident.
The delayed notification from WNJ occurred nearly eight months after the initial breach detection. Priority Health’s public notice did not disclose the specific cause of the breach or technical details about the unauthorized access method. Similarly, no information was provided regarding whether the incident involved ransomware, phishing, or other attack vectors. WNJ’s remediation efforts focused on securing its network post-incident, but the firm did not publicize additional security measures implemented. The breach exclusively exposed data from 2012 prescriptions, leaving more recent member records unaffected. Priority Health emphasized its reliance on WNJ’s handling of incident response and member communications, with no mention of contractual or legal repercussions against the law firm. Both organizations maintained that the risk to affected individuals was mitigated by the lack of evidence supporting data misuse.