Munson, Hagerty The Latest Traverse City Organizations Hit By Major Data Breaches

Some 120,000 patients at Munson Healthcare were recently informed that their data may have been compromised in a data breach involving one of Munson’s third-party vendors. The incident was significant enough that it prompted the office of Michigan Attorney General Dana Nessel to send a press release commenting on the matter and “reissuing her consumer alert on data breaches.”

Munson is the latest Traverse City-based organization to fall victim to a major cybersecurity rupture, with the list now including everyone from local governments to school districts to Traverse City’s largest private employer.

Per Megan Brown, chief marketing and communications officer for Munson, the incident in question “was actually a Cerner breach,” referring to the healthcare technology company behind the electronic health record (HER) systems Munson uses. (Note: The Cerner Corporation was purchased by Oracle Health in 2022, and is now known by the latter name.)

“Cerner recently informed Munson, and some Munson patients, that there was an unauthorized third party that gained access to Cerner servers that contained Munson patient data,” Brown shared with The Ticker in a written statement. “Cerner was made aware of the breach in January 2025 and immediately secured its systems. Law enforcement instructed Cerner to wait to notify customers and patients while they completed their investigation.”

Nessel bristled at the full-year lag time between when the breach occurred and when Munson patients were notified.

“Because Michigan law does not currently require companies to immediately notify my office when a data breach occurs, we often don’t know who was impacted or when until well after a concerning cyber incident,” Nessel said in the aforementioned press release. “These delays put consumers at higher risk of identity theft, and our state needs stronger laws to better protect Michiganders from bad actors.”

Nessel is currently advocating for legislation that would “enhance protections against data breaches and identity theft,” including by requiring prompt disclosure to the attorney general’s office. The bill package in question passed the Michigan Senate last year and is currently awaiting consideration by the House.

Brown says 120,000 patients were impacted by Cerner’s breach. Per Nessel’s press release, the incident compromised a variety of sensitive patient data, “including patient names, Social Security Numbers, and information included within patient medical records, such as medical record numbers, doctors, diagnoses, medicines, test results, images, care, and treatment.” Munson is offering free credit monitoring services through Experian for all patients impacted by the breach.

“First and foremost, we are sorry for any inconvenience this Cerner incident has caused; however, data security is a top priority for Munson,” Brown added in Munson’s written statement. “We use leading-edge technologies and highly trained staff to keep patient data safe, and we will continue to do so. Our team works to thwart these attacks every day, including working closely with our vendors.”

Munson isn’t the first local organization to grapple with a recent cybersecurity breach. In 2024, a ransomware attack on Traverse City Area Public Schools (TCAPS) forced the district to cancel classes for two days. A hacker group called Medusa took responsibility for that attack, threatening to post 1.2 terabytes of data to the dark web unless TCAPS paid a $500,000 ransom. Some sensitive employee data ultimately was leaked online. Just a few months later, the City of Traverse City and Grand Traverse County suffered a similar ransomware attack.

More recently, Hagerty, Traverse City’s largest private employer, quietly dealt with a data breach of its own. In an October 2025 press release, New York State Attorney General Letitia James announced that her office had “secured $14.2 million from eight car insurance companies for failing to protect the private information of more than 825,000 New Yorkers.” Hagerty was one of the eight companies, having “experienced two attacks that exposed the private information of approximately 66,000 New Yorkers.”

Those breaches in New York were “were part of a hacking campaign that targeted car insurance companies’ quoting tools and stole people’s personal information, including driver’s license numbers and dates of birth,” the release stated. The attackers then “used some of the stolen driver’s license information to file fraudulent unemployment claims at the height of the COVID-19 pandemic.”

After investigating the hacks, New York’s Office of the Attorney General determined that the hackers “were able to exploit a ‘pre-fill’ function” that Hagerty and other insurance companies had utilized for their online quoting tools.

“After limited private information about an individual was entered through an online quoting tool, the company would ‘pre-fill’ the form with private information purchased from data brokers,” the release explained. “The purpose of ‘pre-fill’ was to insert information the user might not have on hand and make filling out the form easier.” For instance, a customer could enter their name and date of birth, and the tool would then pre-fill their driver’s license number.

“The OAG found that the car insurance companies did not take reasonable steps to protect pre-fill private information,” the release added.

Hagerty ultimately paid $1.3 million to settle a lawsuit with the state of New York.

Asked about the breach and its aftermath – including whether there were lawsuits or settlements in states other than New York, how many Hagerty customers were affected in total, and what specific cybersecurity improvements Hagerty has made to prevent similar issues in the future – Hagerty spokesperson Andy Heller provide The Ticker with the following company statement:

“Protecting our members’ data is a top priority at Hagerty, and we continually invest in systems and safeguards to keep confidential information secure.”