Published: May 1, 2026
UM Health-Sparrow Notifies Patients of Unauthorized Access to Patients Medical Information via Health Information Exchanges
A privacy incident related to unauthorized access to patient information via Health Information Exchanges for about 186 patients
On January 13, 2026, UM Health-Sparrow was notified by our electronic health record vendor, Epic Systems Corporation (“Epic”), about unusual activity involving third-party companies requesting patient records through a nationwide health information exchange connection.
Based on information provided to us and our own internal review, between March 12, 2026, and March 25, 2026, we have determined that one or more third-party companies may have obtained access to UM Health-Sparrow patient records through this exchange in circumstances that were not authorized, including instances where we could not confirm a treatment-related reason for the request.
University of Michigan Health-Sparrow
As a result of Epic’s review of the questionable activity in the exchange network, Epic filed a federal lawsuit in the U.S. District Court for the Central District of California against a company named “Health Gorilla” (and several other defendants) who Epic claims is responsible for the inappropriate accesses. The lawsuit contains allegations that these companies obtained access to patient records by misrepresenting themselves as legitimate health care providers by creating fictitious websites, shell companies, and sham provider numbers that allowed them to fraudulently obtain access to patient data.
Unauthorized access occurred between October 18, 2023, and November 12, 2025. The information that was accessed may have included one or more of the following:
Demographic information (such as name, address, phone number, email address, date of birth, medical record number); clinical information (such as diagnoses, medications, allergies, test results, and treatment information); and health insurance information.
Social Security numbers were not included in the information Epic reported was exchanged through the exchange network.
UM Health-Sparrow is taking steps to help protect patients and reduce the risk of this happening again, including:
working with Epic and the relevant exchange/network parties to identify and investigate the activity;
monitoring the litigation initiated by Epic;
reporting to and coordinating with regulators or other authorities as required.
“We take patient privacy very seriously, and we regret this incident. Whenever situations like this occur, we immediately take steps to investigate,” said Jeanne Strickland, Michigan Medicine Chief Compliance Officer.
“We will analyze this incident and review our safeguards and make changes if needed to protect those we care for.”
We believe the risk of identity or medical theft is low because no credit card, debit card, bank account, or Social Security Numbers were involved. However, we recommend that patients monitor insurance statements for any transactions related to care or services that have not actually been received. In our patient notice letters, we included ways to protect against identity theft. See https://www.usa.gov/identity-theft for more information.
Notices were mailed to the affected patients or their personal representatives starting May 1, 2026. Those concerned about the breach who do not receive a letter may call the toll-free Assistance Line: 888-202-3478. Calls will be answered Monday through Friday, 9 a.m. to 9 p.m. (Eastern Time).
###
University of Michigan Health-Sparrow is Mid-Michigan’s premier health care organization and includes hospitals in Lansing, Carson City, Charlotte, Ionia and St. Johns, as well as UM Health-Sparrow Specialty Hospital, Care Network, the Michigan Athletic Club, and AL!VE. UM Health-Sparrow is part of University of Michigan Health. Through the dedication of our 10,000 team members, UM Health-Sparrow pursues a vision to be nationally recognized as a leader in quality and patient experience. For more information, visit UofMHealthSparrow.org.