Michigan’s Largest FQHC Suffers Ransomware Attack Affecting 184,000 Patients
Cherry Street Services, Inc., which operates as Cherry Health Services, fell victim to a ransomware attack in December 2023. Cherry Health is the largest federally qualified health center in Michigan, with 20 healthcare facilities in six counties in the state, and provides healthcare services to underserved communities, regardless of insurance status or their ability to pay for healthcare.
The Grand Rapids, MI-based healthcare provider said it experienced network disruption on December 21, 2024, that prevented access to some of its computer systems. Third-party cybersecurity specialists were engaged to investigate the incident and determined that unauthorized individuals had accessed certain files on its network. The review of the affected files was completed on March 25, 2024, and confirmed that protected health information was exposed in the attack, including names, addresses, phone numbers, dates of birth, health insurance information, health insurance ID number, patient ID number, provider name, service date, diagnosis/treatment information, prescription information, financial account information and/or Social Security numbers. The types of information exposed varied from individual to individual.
While healthcare data was potentially stolen in the attack, Cherry Health said it is unaware of any instances of actual or attempted misuse of patient data; however, as a precaution, the affected individuals have been offered 12 months of complimentary credit monitoring services, which includes monitoring of the dark web for the publication or sale of sensitive personal information, a $1 million identity theft insurance policy, and identity theft identity recovery services. Cherry Street said it has already taken steps to improve its technical safeguards to prevent similar incidents in the future. The incident has recently been reported to the Maine Attorney General as affecting 184,372 individuals.