Sturgis Hospital Data Breach Affects over 77k: SSNs & Health Info Exposed

In December 2024, Sturgis Hospital detected unauthorized activity within a portion of its computer network, signaling the existance a data breach. The hospital, located in Sturgis, Michigan, immediately began working with third-party cybersecurity experts to investigate and remediate the incident. However, while that investigation was still ongoing, a second wave of unauthorized activity was discovered in June 2025.

According to the disclosure filed with the Dept. of Health & Human Services, 77,771 people have had their protected health information exposed. The total number of people affected may be higher, including those who had other personally identifiable information (like Social Security numbers) exposed that excluded health information.

This prompted a separate investigation, again involving external cybersecurity specialists, to determine the extent of the breach and secure the hospital’s systems.

Based on the findings from both investigations, Sturgis Hospital determined that an unauthorized third party may have accessed or acquired files containing sensitive information. The first breach is believed to have occurred between Dec. 11 and Dec. 17, 2025. The hospital has since worked diligently to identify the individuals affected and to verify their contact information for notification purposes.

The types of information exposed in this incident are both broad and sensitive. Impacted data includes personally identifiable information (PII) such as name, contact information, government identification number (like a Social Security number), and financial account details (such as a bank account number). In addition, protected health information (PHI) was also compromised, including health insurance details and clinical information like prescriptions, treatment records, and similar medical data.

According to the disclosure filed with the Montana Attorney General’s office, six individuals in Montana were affected. The breach was publicly disclosed on Sept. 18, 2025, and a detailed notice was posted on the Sturgis Hospital website.

Sturgis Hospital's response

In response to the breach, Sturgis Hospital took immediate steps to secure its systems and prevent further unauthorized access. The hospital engaged third-party cybersecurity experts to investigate both incidents, remediate vulnerabilities, and implement additional security measures. Law enforcement was notified and involved in the process, though this did not delay the notification to affected individuals.

To support those impacted, Sturgis Hospital is offering complimentary identity theft protection services through Experian’s IdentityWorks. Affected individuals are encouraged to enroll in these services by the deadline specified in their notification letter. The hospital’s notice also provides detailed instructions on how to monitor financial accounts, obtain free credit reports, place fraud alerts or security freezes, and report suspicious activity to authorities.

Given the nature of the breach—which involved both PII and PHI—individuals should remain vigilant for signs of identity theft or fraud.

It is recommended that those affected:

• Review account statements and credit reports regularly
• Consider placing a fraud alert or security freeze on their credit files
• Report any suspicious activity to law enforcement and the Federal Trade Commission
• Take advantage of the identity theft protection resources offered by the hospital