Data Breach at Munson Healthcare Affects 120,000 Patients
In a significant cybersecurity incident, Munson Healthcare recently disclosed that approximately 120,000 patients may have had their personal information compromised due to a breach involving a third-party vendor. This situation attracted the attention of Michigan’s Attorney General, Dana Nessel, who issued a press release to emphasize the need for stronger consumer protection laws regarding data breaches.
Munson Healthcare, based in Traverse City, now joins a list of local organizations that have fallen victim to major cybersecurity vulnerabilities, which includes various government entities, educational institutions, and the area’s largest private employer. The breach was associated with Cerner Corporation, the supplier of Munson’s electronic health record (EHR) systems. In a written statement, Munson’s Chief Marketing and Communications Officer, Megan Brown, noted that the unauthorized access occurred through Cerner’s servers, where sensitive patient data is stored.
According to Brown, Cerner informed Munson and some affected patients about the breach, which was detected in January 2025. In coordination with law enforcement, Cerner delayed notifying affected parties to avoid jeopardizing their investigation. This delay has drawn criticism from Attorney General Nessel, who voiced concerns over Michigan’s current legal framework that does not mandate immediate reporting of such incidents. Nessel emphasized that these delays expose consumers to heightened risks of identity theft, urging legislative reforms to enhance data breach notification protocols.
In terms of the data compromised, the breach potentially affected sensitive information, including patient names, Social Security numbers, and various details within medical records such as diagnoses and treatment history. To assist affected individuals, Munson is offering complimentary credit monitoring services through Experian.
This incident is not isolated. The Traverse City area has seen a number of recent cybersecurity breaches. In 2024, Traverse City Area Public Schools (TCAPS) faced a ransomware attack that resulted in extended class cancellations. A hacker group threatened to publish sensitive district data if their ransom demands were not met, ultimately causing some employee information to be leaked. Subsequently, both the City of Traverse City and Grand Traverse County also experienced comparable ransomware attacks.
Additionally, Hagerty, Traverse City’s largest private employer, is dealing with its own data breach, as announced by New York State Attorney General Letitia James. Her office revealed that Hagerty had experienced two separate attacks, exposing personal information of around 66,000 individuals in New York. The incidents were part of a broader campaign targeting car insurance companies, leveraging vulnerabilities associated with online quoting tools.
In the context of these cyber threats, the tactics and techniques employed by adversaries can be analyzed using the MITRE ATT&CK framework. Potential tactics in this case may include initial access through phishing or exploiting vulnerabilities in third-party services, as well as data exfiltration techniques once access was established. The year-long gap before notification also underlines the necessity for operational transparency and enhanced cybersecurity measures within organizations.
Moving forward, both Munson Healthcare and local entities are likely to reevaluate their cybersecurity protocols and incident response plans. Brown expressed a commitment to top-tier data security practices, underscoring the continuous efforts made by Munson in safeguarding patient information. As the digital landscape evolves, so too must the strategies employed by organizations to protect against emerging cyber threats.