Why Would Corewell Health, a Premier Hospital Network in Michigan, Fail to Adequately Vet the Information Security Capabilities of Its Third-Party Health Care Providers?
Two breaches of my most sensitive personal information occurred in the last few months … and are incredibly troubling.
Years ago, I oversaw the information technology (IT) internal audit function at one of the world’s largest automotive companies. I tell you this because I have no misconceptions about the difficulty of securing networks, application systems, and databases from unauthorized access.
We used to have a saying: “In God we trust, all others we audit.”
What is the underlying problem in keeping our data private? Without well-designed controls and effective monitoring, computer networks, applications, and databases are like Swiss cheese!
Our board of directors wanted assurance, not excuses. My audit teams worldwide regularly assessed the company’s IT controls in factories, offices, and other locations.
When we provided our important data to third parties, we performed a risk assessment of their capability to secure the data. When warranted, we conducted compliance checks on the security standards said to be in place.
And all that third-party verification was for accessing our business data, not the extremely sensitive health, financial, and personal data collected and used by healthcare organizations.
Who Are These People, and Why Don’t They Care?
One of the largest healthcare groups in Michigan trusts its vendors (it seems) to protect patient data. However, Corewell Health could not have experienced so many breaches if it had implemented control standards similar to those of other large companies. Why contract with a third party who won’t do everything possible to protect your clients?
With big fanfare in early 2022, Beaumont Health and Spectrum Health in Michigan announced the move to create a new health system called Corewell Health.
Corewell is the largest health system in Michigan, based on inpatient admissions and net patient revenue. The organization is headquartered in Grand Rapids and has over 60,000 employees.
· In December 2023, I was notified by Welltok, a vendor to Corewell Health, that it had been breached. They said my personal information (name, birth, address, phone, diagnosis, health insurance, and SSN) may have been stolen. Interestingly, when I tried to research what the company does and why Corewell might have given them my data without my permission, I found Welltok was acquired by Virgin Pulse in 2021 and Virgin Pulse since merged with HealthComp to become PersonifyHealth in February 2024. So, who oversees security across this mixture of potentially incompatible systems? [https://personifyhealth.com/]
· Four months later, in April, I was notified by HealthEC, a population health management platform, c/o Cyberscout, on behalf of Corewell Health, that they had been breached and certain files copied. They said my personal information (name, address, birth, SSN, medical diagnosis, mental and physical condition, prescription information, health insurance information, beneficiaries, Medicaid/Medicare information, billing and identification information, and treatment cost) may have been stolen. [https://healthec.com/]
I’ve never used either company’s services. Corewell Health gave my data to them. Both companies only apologized in their letter and offered “free credit monitoring” services, which are worthless to protect my privacy.
My efforts to engage Corewell’s Privacy Officer in a discussion went nowhere. Apparently, HIPAA allows them to give my information to anyone, whether or not I’ve asked for service. I can’t “opt out.”
About Corewell Health
Corewell must have something going for it, given the awards received already:
· Corewell Health ranked No. 15 among 56 large organizations ranked by Computerworld.com in their “Best Places to Work in IT for 2023” list. The award recognizes the top organizations that challenge their IT staff while providing great benefits and compensation. Apparently, Computerworld doesn’t consider the challenges posed by good security in their ranking process, and Corewell doesn’t challenge their IT staff enough, at least in cybersecurity.
· In 2023, twelve Corewell Health hospitals were recognized by U.S. News & World Report as 2023-2024 Best Hospitals. Corewell Health has the most nationally recognized hospitals in the state. Given these data breaches and the type of recognition they should receive, I expect Corewell’s ranking to fall next year.
· Just months before the December Welltok data breach, Corewell Health earned high marks in the 2023 College of Healthcare Information Management Executives (CHIME) Digital Health Most Wired survey, a comprehensive “digital health check-up” for healthcare organizations. If Corewell’s process for protecting patients’ private information is ever considered next year in their “digital health” score, they certainly should not expect kudos from CHIME!
Where is Corewell’s Leadership Team and Board?
You would think a hospital network with so many honors could figure out how to protect their patients’ data better. I recently offered to help Corewell on this, but I doubt they will respond.
A couple of years ago, when I left the corporate world to do consulting, I traveled to Dubai to help train the board of directors for a large foreign national bank headquartered in Africa. The purpose was to discuss their role and responsibility for overseeing cyber security in their bank. I think that training was an eye-opener for them. Does Corewell’s board ask for similar briefings from their Internal Audit Director or outside CPA firm?
I believe Corewell Health’s board of directors should be equally concerned about its responsibility for protecting patient data. They may want to ask management to explain what it is doing to ensure third parties selected to assist Corewell with delivering health care services have the necessary controls. They should ask Internal Audit to provide ongoing assurance that the job is getting done.
No more surprises, please. I’m already very concerned about who has my data and what they plan to do with it.