
Work Here?
Company Does Not Provide H1B Sponsorship
Corewell Health is a not-for-profit, integrated health system in Michigan formed by combining Beaumont Health and Spectrum Health. It operates 22 hospitals and over 300 outpatient locations, and it also offers health coverage through its provider-sponsored Priority Health plan. The system covers a full continuum of care—from hospital-based services and outpatient care to post-acute services—and it finances and delivers care within one organization to improve outcomes and control costs. Corewell Health serves individuals, families, and employers, and it supports innovation through Corewell Health Ventures, its venture capital arm that invests in healthcare technology. Compared with many competitors, Corewell Health combines care delivery, financing (insurance), and investment in new technologies under a single not-for-profit umbrella, aiming to align incentives and reduce fragmentation across the care journey.
Industries
Venture Capital
Healthcare
Company Size
1,001-5,000
Company Stage
N/A
Total Funding
N/A
Headquarters
Southfield, Michigan
Founded
2022
People at Corewell Health who can refer or advise you
Help us improve and share your feedback! Did you find this helpful?
Health Insurance
401(k) Retirement Plan
401(k) Company Match
Corewell Health Pennock Hospital expands rehab services with foundation support. June 25, 2026 Expansion of orthopedic clinic services makes physical therapy more convenient and accessible for patients. Corewell Health Pennock Hospital is expanding access to rehabilitation services in Hastings, thanks to a $32,000 grant from Corewell Health Foundation Pennock Hospital, supported by local donors. Corewell Health Pennock Hospital is adding on-site physical therapy services at the Corewell Health Orthopedic Clinic at 840 Cook Road, offering a more convenient option for patients receiving orthopedic care. The Foundation grant is funding the equipment needed to support this service expansion. Physical therapy will continue at the main hospital campus on Green Street alongside this new option. This expansion comes as demand for rehabilitation services continues to grow locally. Adding physical therapy services at the orthopedic clinic will improve scheduling availability and help patients receive comprehensive care in one location. "Our goal is to make it as easy as possible for patients to receive high-quality care locally," said Bernie Jore, chief operating officer, Corewell Health Pennock Hospital. "We are incredibly grateful to our Foundation and the generous donors who make investments like this possible. Their support directly enhances our ability to serve patients and strengthen care in our community." "Bringing physical therapy directly into our orthopedic clinic is a significant step forward for patient care," said Derek Axibal, orthopedic surgeon and sports medicine specialist, Corewell Health. "It allows us to collaborate more closely as a care team and helps patients move more quickly from diagnosis to recovery." "This project will have a direct and immediate impact on our patients and our community," said Marsha Bassett, board chair, Corewell Health Foundation Pennock Hospital. "Offering the services needed all in one location with our exceptional group of physicians and care team brings us back to our core values of providing personal care to patients where they are most comfortable close to home. This is orthopedic care at its finest. Our Foundation Board is proud to support this important investment in the best possible care for our local community." "We are deeply thankful for our donors, whose generosity allows us to invest in meaningful improvements like this expansion," said Janine Dalman, foundation director, Corewell Health Pennock Hospital. "Together, we are ensuring patients can access high-quality, compassionate care right here in their community." The expanded services reinforce Corewell Health Pennock Hospital's ongoing efforts to meet growing demand and provide high-quality care for patients in Hastings and surrounding areas. Patients can learn more about available services or schedule an appointment by calling (269) 945-9520 or visiting this website. - Corewell Health
2026 Feldman Automotive Celebrity Invitational. The 2026 Feldman Automotive Celebrity Invitational took place on June 8 at the Wyndgate Country Club in Rochester Hills. Hosted by Corewell Health Foundation - Southeast Michigan in partnership with the Mark Wahlberg Youth Foundation, the event featured several celebrities and athletes, including multiple members of the Wahlberg family, Anthony Anderson, Kevin James, Bruce Bowen, Kevin Ogletree, Knowshon Moreno, Taylor Kinney, Santonio Holmes Jr., and more. To learn more about the work of Corewell Health Foundation - Southeast Michigan, visit corewellhealth.org/foundation/southeast. June 21, 2026 | / | / | / |
Class-action lawsuit in federal court alleges illegal debt collection scheme by Corewell Health. By: katherine dailey - may 26, 2026 1:50 pm. Around 7 million people are likely at risk of being kicked off Medicaid due to the end of pandemic-era benefits, according to early estimates from federal officials. Getty Images Corewell Health, one of Michigan's largest healthcare systems with 21 medical facilities statewide - encompassing more than 5,000 hospital beds and 60,000 employees - is being sued along with Delaware-based debt collection agency DCM Services, LLC in federal district court for allegedly trying to collect millions of dollars in medical bills that were already paid through insurance and government programs. The lawsuit, a class-action suit filed Friday in U.S. District Court in Detroit, alleges that Corewell and DCM engaged in fraud and violated state debt collection and consumer protection laws, among other claims. That practice, which the complaint calls "balance billing," means that Corewell Health "submits claims for payment to insurers, group health plans, Medicare, or Medicaid and accepts reduced payments under negotiated agreements and governing law as payment in full for covered services." Legally, the complaint continues, after accepting those claims, Corewell "cannot bill, charge, collect from, seek compensation, remuneration or reimbursement from, or have any recourse against the patient for covered medical services." The complaint alleges balance billing is a "routine and systematic practice" of Corewell Health, listing 19 hospitals where the plaintiffs allege the practice is being used, ranging from Big Rapids in West Michigan to a number of hospitals in Wayne County. Neither Corewell Health nor DCM Services, LLC responded to requests for comment by the time of publication. The lawsuit was brought by Michelle Rzanca as a personal representative for the estate of Jordan Field, a Michigan resident who died after receiving emergency medical services at Corewell Health Butterworth Hospital in Grand Rapids in March 2024. Corewell billed over $61,600 for the medical services that he received before entering a payment contract with his insurer, Blue Cross Blue Shield PPO. Among the exhibits in the complaint is a copy of a billing statement from the hospital noting a payment of $19,448.92 listed as "Contractual Adjustment (Insurance)." Despite that payment, the complaint states that Corewell Health claimed that the Field Estate still owed it a debt of $42,160.70 for the remaining unpaid balance, referring that debt to DCM Services for collection. "The contract prohibited Defendant Corewell from holding a BCBS-insured patient liable for any payment or fees that were the legal obligation of BCBS. Defendant Corewell could not bill, charge, collect from, seek compensation, remuneration or reimbursement from, or have any recourse against an insured patient for a covered medical service," the complaint states.
Thousands of Corewell Health patients affected by 2024 vendor data breach | FOX 2 Detroit. Source originally from "thousands of Corewell Health patients affected by 2024 vendor data breach | FOX 2 Detroit" by FOX 2 Detroit - view original. Vendor breach cascade in healthcare: Corewell Health exposes contractual notification and due diligence gaps. Why this matters at governance level. The 2024 breach affecting approximately 19,000 Corewell Health patients through former vendor Pinnacle Holdings represents more than an isolated security incident. It exposes a structural governance failure in how healthcare organizations manage third-party risk, enforce contractual accountability, and allocate breach response liability. This case illustrates that despite HIPAA requirements and emerging regulatory frameworks like NIS2, healthcare supply chains remain inadequately protected through contractual mechanisms, vendor segmentation controls, and post-breach liability allocation. For boards and compliance officers, the incident underscores a critical gap: vendor risk assessments often lack enforcement teeth, and breach response protocols frequently fail to define who bears notification costs, regulatory exposure, and patient remediation expenses. Contractual vendor risk assessment: the enforcement gap. Corewell Health's reliance on Pinnacle Holdings for healthcare consulting services created a data exposure pathway that contractual controls should have prevented or mitigated. The breach - which compromised names, contact information, Social Security numbers, medical records, and insurance details for 19,000 patients - suggests that vendor access controls were either inadequately specified in the contract or insufficiently enforced operationally. Healthcare organizations typically maintain vendor risk assessment frameworks, but these assessments often remain static documents that do not translate into binding contractual language requiring continuous security validation, incident response planning, or technical control verification. The Corewell case indicates that a consulting vendor retained access to comprehensive patient datasets beyond what contracted services required. This represents a preventable control failure: organizations should implement data segmentation policies limiting vendor visibility to production systems and enforce contractual data retention clauses requiring deletion upon service termination. Many healthcare contracts lack explicit language defining what data the vendor may access, how long it may retain that data, and what happens to it when the relationship ends. Notification complexity and liability allocation ambiguity. When Pinnacle Holdings discovered the breach, the notification cascade created multiple governance challenges. Corewell Health faced obligations under HIPAA breach notification rules, state-specific data protection laws, and potentially GDPR if any affected individuals were EU residents. Yet many healthcare organizations lack contractual language explicitly assigning vendor responsibility for breach notification expenses, regulatory response coordination, and liability allocation. The Corewell case shows that notification occurred via mail and included offers of free credit monitoring and identity protection services - costs that may or may not have been contractually allocated to the vendor. This ambiguity creates post-breach disputes that delay patient communication, complicate regulatory reporting, and expose the primary provider to enforcement action. Healthcare organizations should audit vendor contracts for explicit indemnification clauses requiring vendors to fund breach response costs, maintain cyber liability insurance with minimum coverage limits, and assume responsibility for regulatory fines and penalties resulting from their negligence. Without such language, the primary provider absorbs costs that should be borne by the vendor. Supply chain data segmentation: A systemic weakness. The Pinnacle Holdings breach reveals a systemic weakness in how healthcare organizations implement data access controls across their vendor ecosystem. A consulting vendor should access only data required to perform contracted services - not comprehensive patient records spanning medical history, insurance details, and Social Security numbers. The concentration of 19,000 affected patients through a single vendor relationship suggests inadequate data segmentation at the application and database level. Many healthcare organizations fail to implement role-based access controls limiting vendor visibility to specific data fields or enforce contractual restrictions on data copying, exporting, or transferring to third-party systems. This represents a preventable control failure that extends beyond the vendor's security posture to the primary provider's own data governance. Organizations should conduct data flow audits identifying what information each vendor actually requires, implement technical controls restricting access to those specific datasets, and enforce contractual language prohibiting vendors from aggregating or retaining data beyond service delivery requirements. Regulatory escalation and insurance coverage gaps. Corewell Health faces potential enforcement action from multiple regulatory bodies: state attorneys general, the HHS Office for Civil Rights, and state insurance commissioners. The organization must demonstrate that it exercised reasonable diligence in vendor selection, maintained contractual safeguards, and enforced vendor compliance. Yet many healthcare organizations lack cyber liability insurance policies that adequately cover third-party breach scenarios, or they maintain policies with exclusions that limit coverage when vendors are involved. Contractual language requiring vendors to indemnify the primary provider, maintain cyber liability insurance with minimum coverage limits, and fund breach response costs is often absent or unenforceable. Organizations should audit vendor contracts for explicit indemnification clauses, verify that vendors maintain active cyber liability insurance, and ensure that breach cost allocation mechanisms are clearly defined. Additionally, healthcare organizations should review their own cyber liability policies to confirm coverage for vendor-related breaches, including notification costs, regulatory fines, and remediation expenses. Without such protections, the primary provider absorbs financial and reputational risk that should be distributed across the vendor and insurance markets. Cybersol's perspective: systemic governance gaps remain unresolved. The Corewell Health breach is representative of a broader pattern in healthcare vendor governance: contractual frameworks exist, but enforcement mechanisms remain weak. Organizations often maintain vendor risk assessment templates that check compliance boxes without translating those assessments into binding contractual language with measurable performance requirements, breach notification protocols, and liability allocation mechanisms. The incident also highlights an underexplored governance gap: many healthcare organizations lack visibility into what data their vendors actually access and retain. Data flow mapping exercises - which identify what information each vendor requires and implement technical controls restricting access - remain uncommon despite their criticality to supply chain risk management. Additionally, cyber liability insurance coverage for vendor-related breaches is often inadequate or excluded, leaving primary providers exposed to costs that should be transferred to insurance markets. Healthcare boards should demand that compliance teams conduct comprehensive vendor contract audits, implement data segmentation controls, and verify cyber liability insurance coverage for third-party breach scenarios. The regulatory environment is shifting: NIS2 and emerging healthcare-specific frameworks will increase enforcement pressure on primary providers to demonstrate vendor accountability through contractual mechanisms and operational controls. Closing reflection. The Pinnacle Holdings breach affecting Corewell Health patients illustrates that vendor risk governance in healthcare remains inadequately enforced despite regulatory requirements. Organizations should review the original FOX 2 Detroit reporting for full context on breach discovery, notification timeline, and patient communication protocols. More importantly, healthcare organizations should conduct immediate audits of vendor contracts, data access controls, breach notification clauses, and cyber liability insurance coverage. The incident demonstrates that contractual vendor risk management - including explicit indemnification language, insurance verification requirements, and breach cost allocation mechanisms - remains a critical governance priority that many organizations continue to overlook.
Thousands of Corewell Health patients affected by security breach. The Detroit News March 27, 2026, 6:50 p.m. ET Thousands of Corewell Health patients' personal information was compromised in a 2024 security breach, the health system announced Friday. Pinnacle Holdings LTD, a Colorado-based vendor that previously provided Corewell with health care consulting services, recently notified the health system about the incident, Corewell Health said in a statement. Affected data varied from patient to patient but included names, addresses, phone numbers, Social Security numbers, driver's license numbers, dates of birth, medical diagnoses, prescription information, dates of service and health insurance information, hospital officials said. It may also include digital signatures, biometric data and information about medical treatments, according to Pinnacle. How many patients were impacted? After learning of the breach, Corewell Health conducted a review to determine which patients were impacted. That review was recently completed, the health system said, and information from about 19,000 patients was found to have been affected. Pinnacle has mailed notification letters to individuals affected by the breach and is unaware of any fraudulent activity tied to the incident, according to Corewell. "In general, we encourage individuals to remain vigilant against incidents of identity theft and fraud by reviewing credit reports/account statements and explanation of benefits forms for suspicious activity and to detect errors," Pinnacle said in a statement posted to its website. It's not clear who accessed the information. Pinnacle said the breach was reported to law enforcement. The company has since implemented additional safeguards to keep data safe, it said. The company is also offering free credit monitoring and identity protection services to anyone affected by the breach. For information, reach Pinnacle's call center at 866-686-2607 or visit askphc.com. Past breaches. This isn't the first time Corewell Health patients' information has been impacted by a security breach. The health system reported back-to-back cybersecurity breaches affecting more than 1 million patients each in late 2023. In November 2023, Corewell announced that a cyberattack on Welltok, Inc., a software company contracted by the system, compromised the personal information of 1 million Michigan patients. The following month, Attorney General Dana Nessel said more than a million Michigan residents were affected by another breach, this one targeting HealthEC LLC, another Corewell partner. [email protected]
Find jobs on Simplify and start your career today
Industries
Venture Capital
Healthcare
Company Size
1,001-5,000
Company Stage
N/A
Total Funding
N/A
Headquarters
Southfield, Michigan
Founded
2022
Find jobs on Simplify and start your career today