Privacy Breach at University of Michigan Health-Sparrow: Patient Data Compromised

University of Michigan Health-Sparrow has reported a privacy incident involving unauthorized access to patient information through a health information exchange. The breach, affecting approximately 186 patients, was identified after Epic Systems Corporation, the hospital's electronic health record vendor, flagged unusual data request activities by third-party companies. This incident underscores the critical need for robust data protection measures within healthcare systems.

Between March 12 and March 25, 2026, unauthorized parties potentially accessed records containing demographic details, clinical data, and health insurance information, though Social Security numbers were not breached. Epic Systems has initiated legal proceedings in the U.S. District Court for the Central District of California against Health Gorilla and other entities, alleging unauthorized access by impersonating legitimate healthcare providers. Such actions highlight the regulatory compliance challenges faced by healthcare organizations.

In response, UM Health-Sparrow is working closely with Epic and related entities to probe the breach and actively monitor ongoing litigation. The incident has been reported to the necessary regulatory bodies, reinforcing the institution's commitment to compliance. Jeanne Strickland, Chief Compliance Officer at Michigan Medicine, emphasized the facility's dedication to patient privacy and potential enhancements to safeguard measures.

Although the identity theft risk is low due to the absence of financial information in the breach, affected individuals are urged to monitor their insurance statements for unauthorized services. UM Health-Sparrow has reached out to impacted patients, offering guidance on identity protection. Patients with concerns can contact the Assistance Line, as the organization continues to address the situation proactively, ensuring the security and integrity of patient information.