Overview
Cherry Health, a federally qualified health center based in Michigan, has been grappling with organization-wide technology failures that have disrupted phone systems and other operational infrastructure. The health system has acknowledged the outages on its website, stating that clinics remain open for scheduled visits, but has offered no explanation of the underlying cause.
Reporting by DataBreaches.net indicates the disruption is consistent with a ransomware attack, a characterization Cherry Health has not confirmed or denied publicly. Days into the incident, the organization has issued no formal breach notification and has not disclosed whether patient data has been compromised.
The gap between what appears to be happening and what the organization has publicly stated raises questions about timely transparency obligations under HIPAA's Breach Notification Rule, which requires covered entities to notify affected individuals within 60 days of discovering a breach, and to notify HHS without unreasonable delay.
## Key developments
Unacknowledged ransomware indicators. Sources cited by DataBreaches.net characterize the incident as a ransomware attack, while Cherry Health's public communications describe only generic "technology issues." This framing, common in the early days of ransomware incidents, does not fulfill the organization's obligation to provide accurate and timely information if a breach of protected health information has occurred.
Phone system and infrastructure-wide impact. The disruption affects phone systems across Cherry Health locations, a pattern typical of ransomware deployments that encrypt or disable shared network infrastructure. Clinics have remained open for scheduled appointments, suggesting some operational continuity, but the scope of affected systems has not been disclosed.
Notification clock already running. Under the HIPAA Breach Notification Rule, the 60-day notification window to affected individuals begins at the point of discovery, not at the point of public acknowledgment. If Cherry Health discovered the incident when the outages began, that clock is already running regardless of when a formal public statement is made.
Federally qualified health centers face compounded risk. FQHCs serve disproportionately low-income and underserved populations, many of whom rely on phone access to schedule care. Extended outages at organizations like Cherry Health carry direct patient-care implications beyond the data-security dimension.
Industry impact
Ransomware attacks on healthcare organizations have become one of the most financially and operationally damaging categories of cybersecurity incident. According to IBM's Cost of a Data Breach Report, healthcare has reported the highest average data breach cost of any industry for 13 consecutive years, reaching $10.93 million per incident in 2023. The U.S. Department of Health and Human Services' Office for Civil Rights has consistently identified hacking and IT incidents as the leading cause of large healthcare breaches reported to its breach portal.
HHS has also signaled increased enforcement scrutiny of organizations that delay breach notifications or provide incomplete disclosures. OCR's 2023 and 2024 enforcement actions included settlements tied specifically to failures in timely notification and risk analysis, not only to the breach itself. Organizations that understate or obscure the nature of an incident during the early response window can face compounded regulatory exposure.
Community health centers and FQHCs operate on constrained budgets and often lack the dedicated security personnel found at larger health systems, making recovery timelines longer and the operational disruption to patients more acute.
## What this means for independent practices
- Review your breach notification procedures now. The 60-day notification window under HIPAA begins at discovery. Independent practices should have a written protocol that defines who determines the discovery date, who drafts notifications, and who files the HHS report — before an incident occurs.
- Do not conflate "clinics are open" with "no breach occurred." Operational continuity and data-security status are separate questions. A ransomware attack can encrypt or exfiltrate data even when staff are able to see patients using paper or backup processes.
- Prepare a communication template for external audiences. Practices that experience a disruption should be able to issue an accurate public statement within 24 to 48 hours. Vague language about "technology issues" without any characterization of the cause can trigger additional scrutiny from regulators and press.
- Confirm that your cyber incident response plan identifies a legal and compliance contact. Decisions about what to disclose, and when, carry regulatory and liability implications that require legal guidance from the first hours of an incident.
- Test your backup and recovery systems before you need them. Documented, tested recovery procedures are the difference between days of downtime and weeks of it.
When an incident does occur, the quality of an organization's pre-incident preparation — documented risk analyses, tested recovery plans, trained staff, and clear notification procedures — determines both how quickly it recovers and how it fares in any subsequent regulatory review. Organizations that treat these disciplines as ongoing operational requirements, rather than annual checkbox exercises, are better positioned to demonstrate good faith to OCR even when a breach does occur.
What would have prevented this
Network segmentation: Dividing clinical, administrative, and communications infrastructure into isolated segments limits the ability of ransomware to propagate across an entire organization from a single compromised entry point. Phone systems, electronic health records, and billing platforms should not share unrestricted network paths.
Immutable, offline backups: Backup systems that cannot be reached or modified by ransomware — stored offline or in an air-gapped environment — allow organizations to restore systems without paying a ransom. Backups stored on the same network they protect are frequently encrypted alongside primary systems.
Endpoint detection and response (EDR): Continuous monitoring of endpoint activity can identify the behavioral patterns of ransomware deployment — such as mass file encryption or lateral movement — before the attack completes, enabling containment before organization-wide impact occurs.
Privileged access monitoring: Ransomware attackers frequently escalate privileges after initial access to maximize encryption scope. Monitoring and alerting on unusual privileged account activity, particularly outside business hours, can surface an intrusion while it is still containable.
Tested incident response and communications plans: Organizations that have rehearsed their response to a ransomware scenario — including who makes public statements, what legal counsel is engaged, and how regulators are notified — avoid the improvised and legally risky communications pattern visible in the Cherry Health situation.