Full Report
Fox2 reports: Corewell Health announced their former health care consulting vendor experienced a data breach in 2024, affecting thousands of patients. Pinnacle Holdings previously provided health care consulting services to Corewell Health. After being notified of the data breach, Corewell said they conducted a review to identify who was impacted. The health system said around... Source
Analysis Summary
# Incident Report: Pinnacle Holdings / Corewell Health Supply Chain Breach
## Executive Summary
Corewell Health announced a major data breach originating from a third-party vendor, Pinnacle Holdings, which previously provided healthcare consulting services. The incident resulted in the unauthorized access of sensitive personal and medical data for approximately 19,000 patients. Corewell Health was notified of the vendor’s breach and subsequently conducted a review to determine the specific impact on its patient population.
## Incident Details
- **Discovery Date:** Noted in March 2026 (Incident reported as occurring in 2024)
- **Incident Date:** 2024
- **Affected Organization:** Pinnacle Holdings (Primary); Corewell Health (Downstream)
- **Sector:** Healthcare
- **Geography:** United States (Michigan/Detroit focus)
## Timeline of Events
### Initial Access
- **Date/Time:** 2024 (Specific month/day not disclosed)
- **Vector:** Targeted attack on third-party vendor (Pinnacle Holdings)
- **Details:** Attackers gained unauthorized access to the systems of Pinnacle Holdings, a former consulting vendor for Corewell Health.
### Lateral Movement
- **Details:** Not disclosed; however, the breach involved access to historical data provided to the vendor for consulting purposes.
### Data Exfiltration/Impact
- **Details:** Sensitive data involving roughly 19,000 patients was accessed. Compromised data sets included names, contact information, Social Security numbers (SSNs), medical information, and insurance details.
### Detection & Response
- **How it was discovered:** Pinnacle Holdings identified a security breach and notified Corewell Health.
- **Response actions taken:** Corewell Health initiated a data review and forensic audit to identify the specific individuals impacted and verify the categories of data exposed.
## Attack Methodology
- **Initial Access:** Cyberattack on healthcare consulting vendor (Pinnacle Holdings).
- **Persistence:** Not disclosed.
- **Privilege Escalation:** Not disclosed.
- **Defense Evasion:** Not disclosed.
- **Credential Access:** Not disclosed.
- **Discovery:** Not disclosed.
- **Lateral Movement:** Not disclosed.
- **Collection:** Gathering of legacy data stored by the vendor for consulting services.
- **Exfiltration:** Theft of sensitive PII (Personally Identifiable Information) and PHI (Protected Health Information).
- **Impact:** Data breach leading to regulatory and notification requirements for thousands of patients.
## Impact Assessment
- **Financial:** Potential regulatory fines (HIPAA) and costs associated with state-mandated credit monitoring for 19,000 individuals.
- **Data Breach:** Compromise of Name, Address, SSN, Medical History, and Insurance ID for 19,000 patients.
- **Operational:** Diversion of resources for incident response and legal review.
- **Reputational:** Public notice required by Fox2 and major security outlets; potential loss of patient trust in vendor management practices.
## Indicators of Compromise
- **Network indicators:** None provided in the source report.
- **File indicators:** None provided in the source report.
- **Behavioral indicators:** Unauthorized access to patient databases stored on vendor infrastructure.
## Response Actions
- **Containment measures:** Vendor-side remediation (details not public).
- **Eradication steps:** Corewell Health moved to identify the scope of exposed patient records.
- **Recovery actions:** Notification to affected patients and public disclosure via media outlets.
## Lessons Learned
- **Vendor Data Lifecycle:** Data remained with a "former" vendor, suggesting a failure in data decommissioning procedures once the consulting contract ended.
- **Supply Chain Risk:** The security posture of third parties remains a critical vulnerability for healthcare providers.
- **Audit Gaps:** Organizations must ensure vendors delete sensitive data immediately after the conclusion of services.
## Recommendations
- **Asset/Data Disposal:** Implement strict contractual clauses requiring vendors to provide "Certificates of Destruction" for all PHI/PII upon termination of services.
- **Third-Party Risk Management (TPRM):** Conduct regular security audits and SOC2 Type II reviews of all consulting partners handling patient data.
- **Encryption:** Ensure that any data shared with third parties remains encrypted at rest and that the vendor follows the principle of least privilege.