A 2024 cyber mess at a Colorado vendor has come home to Michigan, with Corewell Health confirming that roughly 19,000 of its patients had personal information exposed, the nonprofit said Saturday. The records trace back to a network disruption at Pinnacle Holdings Ltd., a Colorado-based consulting firm that previously provided services to the health system. Corewell says it launched a detailed review and has begun mailing notices to impacted patients.
On its website, Pinnacle Holdings said it experienced a network disruption on Nov. 25, 2024, and that an unauthorized actor may have copied data from its systems. The potentially exposed information varied by individual and may include names, addresses, phone numbers, Social Security and driver’s license numbers, medical diagnoses, prescription details, insurance information and dates of service. Pinnacle added that it has implemented additional safeguards, reported the incident to law enforcement and set up a call center for affected people.
Corewell Health said in a news release that it was recently notified of the incident and that around 19,000 patients were impacted; the system confirmed those details to CBS Detroit. The health system said it launched “a detailed and complex data review” to identify impacted individuals and that letters with next steps have gone out. Corewell also said it is not currently aware of any fraudulent activity tied to the incident, which is reassuring on paper, even if it does little to calm frayed nerves.
Why The Notice Came Now
Public filings and vendor notices show the attack occurred in late 2024, but it took months for Pinnacle and downstream partners to complete forensics and identify affected patients, which delayed notification into 2026. Notices filed with state authorities and reported by data-privacy outlets describe a timeline in which the vendor isolated its network, brought in third-party specialists and did not finish confirming impacted records until early 2026, according to public breach filings and reporting by the HIPAA Journal. That kind of staggered chain of notification is common when a subcontractor, a vendor and a health system each have to complete separate reviews before any letters can be mailed…