Cherry Health Data Breach Compromises Health Records

Cherry Health, formally known as Cherry Street Services Inc., disclosed a data breach that may affect certain current or former patients as well as current or former staff members.

Cherry Health first detected the breach on or about April 19, 2026, and has posted a preliminary notice on its website dated June 18, 2026. The total number of individuals affected has not yet been disclosed, as the organization stated that a comprehensive review of the data involved is still ongoing.

After detecting suspicious activity on its network, Cherry Health launched an investigation with the support of third-party specialists to determine the nature and scope of the activity, according to the company's notification. The organization stated that it promptly took measures to secure its environment.

The investigation determined that certain information stored on Cherry Health's network was accessed and copied by an unauthorized individual. Cherry Health is conducting a comprehensive review of the involved data, in partnership with third-party specialists, to determine exactly what information was at issue and to whom it relates. At the time the notice was posted, that review had not yet been completed.

The types of information that may have been exposed include names, addresses, phone numbers, dates of birth, health insurance information, health insurance ID numbers, patient ID numbers, provider names, service dates, and Social Security numbers.

According to the notification, the potentially impacted information varies by individual. Some people may have had several of these data types exposed, while others may have had only one type involved.

Cherry Health's response

According to the notification, Cherry Health said it takes this event and the security of the information in its care very seriously. As part of its ongoing commitment to protecting privacy, the organization is working to implement additional safeguards to reduce the likelihood of a similar incident in the future.

Cherry Health presently has no evidence that any of the involved information has been used to commit identity theft or fraud, according to the notification. However, the organization said it is providing information about the event and resources available to help individuals protect their information from possible misuse. Cherry Health also encouraged individuals to remain vigilant and to take proactive steps to protect their personal information.

Cherry Health stated it will notify potentially affected individuals by written letter once its data review is finalized. The website notice serves as a preliminary alert while those individual letters are being prepared. Once the review is complete, the letters will inform each person which specific types of their information were involved. Call center representatives will also be available to help answer questions once the letters are sent.

The notification included detailed guidance on steps individuals can take to protect their personal information. It was published in both English and Spanish. Individuals who want more information about the incident in the meantime may call 888-204-2407 or write to Cherry Health at 100 Cherry St. SE, Grand Rapids, MI 49503. The organization noted that the notice was not delayed by law enforcement.