Cyber Incident Victim: Munson Healthcare
Date:
Jan 2025
Location:
United States of America
Summary
A healthcare provider experienced a data breach through a third-party electronic health record vendor, compromising personal and medical information of over 100,000 patients including names, Social Security numbers, medical records, diagnoses, medications, test results, and treatment details. The organization is mailing notifications to affected individuals and offering free credit monitoring services, while the incident prompted state officials to advocate for stricter breach reporting requirements.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 0 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In January 2025, Munson Healthcare experienced a data breach involving unauthorized access to patient information through its third-party electronic health record vendor, Cerner. The breach was first detected with confirmed access occurring as early as January 22, 2025, though the exact duration of unauthorized activity remains unspecified. The compromised data included sensitive personal identifiers such as patient names and Social Security numbers, along with comprehensive medical record details encompassing medical record numbers, treating physicians, diagnoses, prescribed medications, test results, medical images, and records of care and treatment. The incident affected more than 100,000 patients across Munson Healthcare's network, which includes Otsego Memorial Hospital. The healthcare system publicly disclosed the breach via an alert on its platform, though the specific date of this disclosure wasn't provided in available records. No threat actor or attack vector details were confirmed in the source material.
Munson Healthcare initiated mailed notifications to impacted patients in January 2026, nearly one year after the breach occurrence. The organization offered affected individuals 24 months of complimentary credit monitoring services through Experian and established a dedicated call center (833-931-5700) for consumer inquiries. Michigan Attorney General Dana Nessel cited this delayed notification timeline when renewing her advocacy for state legislation mandating immediate cyber attack reporting to her office, emphasizing the need for prompt public alerts. While the breach's operational impact on healthcare services remained unstated, the exposure of highly sensitive medical and identity data created significant privacy risks for victims. The Attorney General publicly urged breach recipients to utilize the offered credit monitoring but did not comment on potential regulatory actions against Munson Healthcare or Cerner. This incident became a focal point in Michigan's ongoing policy discussions regarding cybersecurity disclosure requirements for critical infrastructure entities.