In December 2024, Sturgis Hospital in Michigan detected a data breach within its network, followed by a second unauthorized activity wave in June 2025. Investigations revealed that an unauthorized third party accessed or acquired sensitive files between December 11–17, 2025, exposing 77,771+ individuals' data. Compromised information included personally identifiable information (PII) such as names, contact details, Social Security numbers, and financial account data as well as protected health information (PHI), including health insurance details, prescriptions, and clinical records. The breach prompted external cybersecurity interventions, law enforcement notifications, and public disclosure on September 18, 2025. Affected individuals were offered free identity theft protection (Experian IdentityWorks) and guidance on fraud monitoring. The incident posed severe risks of identity theft, financial fraud, and misuse of medical data, with potential long-term reputational and operational damage to the hospital. The breach’s scale and sensitivity of exposed data spanning financial, governmental, and health records highlighted critical vulnerabilities in the hospital’s cybersecurity infrastructure.
Source: https://www.claimdepot.com/data-breach/sturgis-hospital-2025
TPRM report: https://www.rankiteo.com/company/sturgis-hospital
"id": "stu3302533092325",
"linkid": "sturgis-hospital",
"type": "Breach",
"date": "12/2024",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '77,771 (minimum; additional '
'individuals may be affected)',
'industry': 'Healthcare',
'location': 'Sturgis, Michigan, USA',
'name': 'Sturgis Hospital',
'type': 'Healthcare Provider'},
{'customers_affected': '6',
'location': 'Montana, USA',
'name': 'Individuals in Montana',
'type': 'Patients/Customers'}],
'customer_advisories': 'Affected individuals were notified via letter with '
'instructions for enrolling in identity theft '
'protection services and steps to mitigate risk.',
'data_breach': {'data_exfiltration': 'Possible (files containing sensitive '
'information may have been accessed or '
'acquired)',
'file_types_exposed': ['Patient names',
'Contact information',
'Government identification numbers '
'(e.g., Social Security numbers)',
'Financial account details (e.g., bank '
'account numbers)',
'Health insurance details',
'Clinical information (e.g., '
'prescriptions, treatment records)'],
'number_of_records_exposed': '77,771 (minimum; additional '
'records may be affected)',
'personally_identifiable_information': True,
'sensitivity_of_data': 'High (includes government IDs, '
'financial details, and clinical '
'records)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Protected Health Information '
'(PHI)']},
'date_detected': ['2024-12-11', '2025-06-01'],
'date_publicly_disclosed': '2025-09-18',
'description': 'In December 2024, Sturgis Hospital detected unauthorized '
'activity within a portion of its computer network, signaling '
'a data breach. A second wave of unauthorized activity was '
'discovered in June 2025. The breach exposed protected health '
'information (PHI) and personally identifiable information '
'(PII) of 77,771 individuals, with potential additional '
'victims. The hospital engaged third-party cybersecurity '
'experts and law enforcement to investigate and remediate the '
'incidents. Affected individuals were offered complimentary '
'identity theft protection services through Experian’s '
'IdentityWorks.',
'impact': {'brand_reputation_impact': 'Potential damage due to exposure of '
'sensitive PHI and PII',
'data_compromised': True,
'identity_theft_risk': 'High (PII and PHI exposed)',
'payment_information_risk': 'High (financial account details '
'exposed)',
'systems_affected': "Portion of the hospital's computer network"},
'investigation_status': 'Ongoing (as of public disclosure on 2025-09-18)',
'post_incident_analysis': {'corrective_actions': 'Additional security '
'measures implemented '
'(specifics not disclosed)'},
'recommendations': ['Affected individuals should enroll in complimentary '
'identity theft protection services (Experian’s '
'IdentityWorks).',
'Monitor financial accounts for suspicious activity.',
'Obtain free credit reports and place fraud alerts or '
'security freezes if necessary.',
'Report suspicious activity to authorities.'],
'references': [{'source': 'Sturgis Hospital Public Disclosure'},
{'source': 'U.S. Department of Health & Human Services (HHS) '
'Breach Portal'},
{'source': 'Montana Attorney General’s Office Breach Notice'}],
'regulatory_compliance': {'regulatory_notifications': ['U.S. Department of '
'Health & Human '
'Services (HHS)',
'Montana Attorney '
'General’s Office']},
'response': {'communication_strategy': 'Public disclosure on 2025-09-18; '
'detailed notice posted on hospital '
'website; direct notification to '
'affected individuals with enrollment '
'instructions for identity theft '
'protection services',
'containment_measures': 'Systems secured to prevent further '
'unauthorized access',
'incident_response_plan_activated': True,
'law_enforcement_notified': True,
'remediation_measures': 'Vulnerabilities remediated and '
'additional security measures '
'implemented',
'third_party_assistance': True},
'threat_actor': 'Unauthorized third party',
'title': 'Sturgis Hospital Data Breach (2024-2025)',
'type': ['Data Breach', 'Unauthorized Access']}