A 2024 cyber mess at a Colorado vendor has come home to Michigan, with Corewell Health confirming that roughly 19,000 of its patients had personal information exposed, the nonprofit said Saturday. The records trace back to a network disruption at Pinnacle Holdings Ltd., a Colorado-based consulting firm that previously provided services to the health system. Corewell says it launched a detailed review and has begun mailing notices to impacted patients.
On its website, Pinnacle Holdings said it experienced a network disruption on Nov. 25, 2024, and that an unauthorized actor may have copied data from its systems. The potentially exposed information varied by individual and may include names, addresses, phone numbers, Social Security and driver’s license numbers, medical diagnoses, prescription details, insurance information and dates of service. Pinnacle added that it has implemented additional safeguards, reported the incident to law enforcement and set up a call center for affected people.
Corewell Health said in a news release that it was recently notified of the incident and that around 19,000 patients were impacted; the system confirmed those details to CBS Detroit. The health system said it launched "a detailed and complex data review" to identify impacted individuals and that letters with next steps have gone out. Corewell also said it is not currently aware of any fraudulent activity tied to the incident, which is reassuring on paper, even if it does little to calm frayed nerves.
Why The Notice Came Now
Public filings and vendor notices show the attack occurred in late 2024, but it took months for Pinnacle and downstream partners to complete forensics and identify affected patients, which delayed notification into 2026. Notices filed with state authorities and reported by data-privacy outlets describe a timeline in which the vendor isolated its network, brought in third-party specialists and did not finish confirming impacted records until early 2026, according to public breach filings and reporting by the HIPAA Journal. That kind of staggered chain of notification is common when a subcontractor, a vendor and a health system each have to complete separate reviews before any letters can be mailed.
What To Do If You Got A Letter
Pinnacle's notice says impacted people will be offered enrollment in Kroll credit monitoring and identity-restoration services and can call a dedicated hotline at 866-686-2607 for help, according to Pinnacle Holdings. Consumers are also advised to keep an eye on credit and bank statements, consider placing a fraud alert or credit freeze, and use the Federal Trade Commission's guidance at IdentityTheft.gov and the free annual credit-report site at AnnualCreditReport.com.
Legal Fallout And Local Context
At least one national law firm has already lined up to take a closer look. Lynch Carpenter says it is investigating claims tied to the Pinnacle incident and noted that nearly 20,000 people may be affected, according to Lynch Carpenter. The latest revelation lands against a backdrop of earlier vendor breaches that touched Corewell in 2023 and triggered calls from Michigan’s attorney general for tougher breach-notification rules, per a press release from the Michigan Attorney General. Those prior incidents, combined with the slow march of vendor notifications, have added to patient frustration and renewed scrutiny of how health systems handle third-party risk.
Corewell and Pinnacle say they are still investigating and have not identified fraud connected to this event. If you received a notice, hang on to it and follow the enrollment instructions for monitoring services; impacted people can call Pinnacle’s assistance line at 866-686-2607 with questions. This story will be updated as Corewell or the vendor releases more details.
