Overview
Cherry Health, a federally qualified health center serving communities across Michigan, issued a preliminary breach notice on June 18, 2026, acknowledging that an unknown person or persons had gained unauthorized access to its network. The intrusion was first detected on April 19, 2026 — nearly two months before the public notice appeared on the organization's website.
According to the preliminary notice, the attacker or attackers copied data from Cherry Health's network during the period of access. The organization has not yet specified which data types were affected, how many individuals are involved, or whether protected health information (PHI) was among the exfiltrated files. The notice is described as preliminary, suggesting a more detailed disclosure is expected as the investigation continues.
No reference was made in Cherry Health's notice to any regulatory filing or earlier public reporting on the incident. The timeline between detection and public disclosure — approximately 60 days — falls within the 60-day window HIPAA requires for notifying affected individuals following the discovery of a reportable breach, though federal breach notification to HHS and affected individuals had not yet been publicly confirmed at the time of the preliminary notice.
Key developments
Detection-to-disclosure gap raises questions. Cherry Health detected suspicious network activity on April 19, 2026, but did not publish even a preliminary notice until June 18 — 60 days later. While this technically aligns with HIPAA's outer boundary for individual notification, the elapsed time between detection and any public communication leaves patients and partners with limited information during a critical window.
Data exfiltration confirmed, scope unspecified. The organization confirmed that data was copied from its network but has not yet disclosed the categories of information involved, the number of records affected, or whether the breach triggers HIPAA's notification requirements. For a federally qualified health center, patient records typically include sensitive clinical, demographic, and insurance data.
Preliminary notice signals ongoing investigation. By characterizing its disclosure as preliminary, Cherry Health indicated that a fuller accounting of the breach — including affected individuals, data types, and remediation steps — has not yet been completed. This pattern is increasingly common in complex healthcare network intrusions, where forensic analysis can take weeks or months to complete.
No mention of prior regulatory reporting. The published notice contains no reference to any earlier report filed with HHS, law enforcement, or state regulators, leaving the public record incomplete at the time of this writing.
## Industry impact
Data exfiltration incidents at community health centers carry particular weight because these organizations serve high proportions of low-income, uninsured, and underinsured patients whose health data may include behavioral health records, HIV status, substance use treatment information, and other especially sensitive categories protected under additional federal and state laws beyond HIPAA.
According to HHS Office for Civil Rights breach portal data, healthcare breaches involving network server intrusions consistently account for the largest share of records exposed annually. The 2024 IBM Cost of a Data Breach Report placed the average cost of a healthcare data breach at $9.77 million — the highest of any industry sector for the fourteenth consecutive year — reflecting both the complexity of healthcare IT environments and the regulatory obligations that follow confirmed PHI exposure.
For community health centers operating on constrained budgets, the financial and operational consequences of a network intrusion can be disproportionately severe. Federal funding streams and grant compliance requirements may impose additional reporting obligations beyond HIPAA, compounding the administrative burden of breach response.
What this means for independent practices
- Review your breach response timeline now. HIPAA's 60-day clock for individual notification begins at the point of discovery, not the conclusion of investigation. Practices should confirm they have documented procedures that distinguish the discovery date from the investigation completion date.
- Audit third-party data flows. If your practice refers patients to or shares data with a federally qualified health center or similar partner organization, identify what data was shared and assess your own notification obligations if partner breaches involve your patients' PHI.
- Verify your business associate agreements. Any entity that receives PHI from your practice must have a current, executed BAA. A partner's breach may trigger your own reporting obligations depending on how data was shared.
- Document detection-to-response steps in writing. Regulators examining breach timelines expect documented evidence of when suspicious activity was identified, when the investigation was escalated, and when legal counsel and compliance staff were engaged. Undocumented timelines create compliance exposure.
- Assess whether your incident response plan covers exfiltration specifically. Ransomware-focused response plans do not always account for silent data copying without encryption or system disruption. Confirm your plan addresses both scenarios.
Incidents of this kind illustrate the compliance risk of treating breach notification as a task to complete after investigation rather than a process that runs concurrently with it. Independent practices benefit from establishing standing procedures that initiate notification workflows and evidence preservation at the moment suspicious activity is confirmed — not after forensic analysis is complete. Waiting for full clarity before taking any notification steps is a common and costly misstep.
What would have prevented this
Network segmentation: Dividing the network into isolated zones limits how far an attacker can move after gaining an initial foothold. Had sensitive data repositories been isolated from general network access, the scope of data available for copying would have been significantly reduced.
Continuous network monitoring with anomaly detection: Automated monitoring tools that establish baseline traffic patterns and alert on deviations — such as unusual data volumes moving toward external destinations — can surface exfiltration activity in or near real time, enabling faster containment than periodic reviews allow.
Data loss prevention (DLP) controls: DLP systems inspect outbound data flows and can block or flag transfers of files matching defined sensitive-data patterns, including PHI, before copying is completed. Deployed at network egress points, they act as a last line of defense against exfiltration even when perimeter defenses have already been bypassed.
Privileged access controls and least-privilege enforcement: Limiting which accounts can access sensitive data repositories, and ensuring that no account carries broader access than its function requires, reduces the volume of data reachable through any single compromised credential.
Endpoint and log telemetry with centralized retention: Retaining detailed endpoint and network logs in a centralized, tamper-resistant repository gives incident responders the evidence needed to reconstruct attacker movement and accurately define the scope of a breach — shortening investigation timelines and improving the accuracy of required regulatory notifications.