British Influencer Reports Targeted HIPAA Breach at Michigan Hospital
British social media influencer Josh Cauldwell-Clarke revealed on February 11 that his electronic health records were improperly accessed by employees at a Michigan hospital during his visit last month. The breach occurred on January 18 or 19, when staff viewed his personal data including his name, date of birth, address, phone number, account details, and clinical information without a legitimate work-related reason.
Cauldwell-Clarke, known for his viral travel content with fellow influencer Jason Riley as the duo Josh & Jase, clarified in a follow-up post on February 12 that the incident was not a mass data breach but a targeted violation. He expressed discomfort over strangers possessing his private medical and personal details and confirmed he had sought legal counsel.
The influencer had been hospitalized in northern Michigan for an unspecified injury, receiving pain medication during his stay. He recounted hospital staff requesting selfies while he was under treatment and the facility removing his name from a public notice board to maintain discretion.
Under the Health Insurance Portability and Accountability Act (HIPAA), unauthorized access to medical records by employees is a violation, and hospitals are required to notify affected individuals. It remains unclear whether the Michigan hospital has taken disciplinary or corrective action in this case.
Cauldwell-Clarke and Riley’s Michigan trip, which included visits to the Mackinac Bridge, Mackinac Island, and Lake Superior, gained widespread attention for their travel vlogs and local experiences.
Michigan Hospital TPRM report: https://www.rankiteo.com/company/mymichiganhealth
"id": "mym1770956824",
"linkid": "mymichiganhealth",
"type": "Breach",
"date": "1/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '1 (Josh Cauldwell-Clarke)',
'industry': 'Healthcare',
'location': 'Michigan, USA',
'name': 'Michigan Hospital (name unspecified)',
'type': 'Healthcare Provider'}],
'attack_vector': 'Insider Misuse',
'data_breach': {'number_of_records_exposed': '1',
'personally_identifiable_information': ['Name',
'Date of Birth',
'Address',
'Phone Number',
'Account Details'],
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Personal Identifiable '
'Information (PII)',
'Medical Records']},
'date_detected': '2024-02-11',
'date_publicly_disclosed': '2024-02-11',
'description': 'British social media influencer Josh Cauldwell-Clarke '
'reported that his electronic health records were improperly '
'accessed by employees at a Michigan hospital during his visit '
'in January. The breach involved unauthorized viewing of '
'personal and medical data without a legitimate work-related '
'reason.',
'impact': {'brand_reputation_impact': 'Potential reputational damage to the '
'hospital',
'data_compromised': 'Personal and medical records',
'identity_theft_risk': 'High (PII exposed)',
'legal_liabilities': 'Potential HIPAA violation penalties',
'payment_information_risk': 'Moderate (account details exposed)',
'systems_affected': 'Electronic Health Records (EHR) system'},
'motivation': 'Curiosity / Unauthorized Personal Interest',
'post_incident_analysis': {'root_causes': 'Lack of access controls, improper '
'employee oversight, potential '
'curiosity-driven access'},
'references': [{'date_accessed': '2024-02-11',
'source': 'Social Media (Josh Cauldwell-Clarke)'}],
'regulatory_compliance': {'regulations_violated': ['HIPAA']},
'response': {'communication_strategy': 'Public disclosure by affected '
'individual (influencer)'},
'threat_actor': 'Hospital Employees',
'title': 'Targeted HIPAA Breach at Michigan Hospital Involving British '
'Influencer',
'type': 'Unauthorized Access / Insider Threat',
'vulnerability_exploited': 'Lack of access controls / improper employee '
'oversight'}