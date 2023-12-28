LANSING, Mich. (WLNS) — A data breach at a large Michigan health system has affected more than 1 million people.

Customers of Corewell Health learned about it last Friday, which was months after the data breach happened.

It’s the second time Corewell Health has had a data breach in the past seven months. This time around, it happened through a vendor of Corewell’s, Health EC, which analyzes patient data.

The data breach has compromised people’s personal information that includes people’s social security numbers and medical history.

The breach took place in July, but Michigan Attorney General Dana Nessel told 6 News that her office didn’t find out until December, though Corewell found out in October. That’s why she wants new laws to start holding companies accountable.

“To know that they’re keeping that a secret. Not telling the people who are affected. Not telling the department in the state that is in charge of consumer protection. It’s very dangerous,” Nessel said.

“There is more that we can be doing to protect people’s personal information, but we have to have the laws on the books that allow enforcement,” she continued.

The problem, she says: In Michigan, there is no requirement for companies to alert the Attorney General’s office of a data breach.

Nessel wants to see legislation that requires companies to report data breaches immediately.

“What we would like to be able to do is to say, ‘You know, look, if you don’t properly secure and store data, or if you don’t report a data breach, you’re going to be subjected to significant fines.’ That’s what they do in other states, but not here in Michigan,” Nessel said.

The AG isn’t happy with Corewell’s lack of transparency.

“We’re not happy with the responses that we are receiving. We’re not happy with the way Corewell is being secretive in terms of not relaying this information and not being nearly transparent enough,” Nessel said. “And, obviously, whatever they’re doing to secure and store patients’ information–it’s clearly inadequate.”

Nessel added that it’s important to get the word as as quickly as possible, so that people can change their passwords and take other necessary actions to protect their information.

“This affects one out of every 10 Michiganders. Just one particular company,” Nessel said. “Imagine how it affects each and every person in the state of Michigan.”

The Corewell Health data breach has affected more than 1 million people. (WLNS)

The hacked vendor, Health EC, sent 6 News a statement saying:

“HealthEC became aware of suspicious activity potentially involving our network and promptly began an investigation. The investigation determined that certain systems were accessed by an unknown actor. We take this event and the security of information in our care very seriously.