PA/NP – Variable Site Specialist-NE Service Area

Class-action lawsuit in federal court alleges illegal debt collection scheme by Corewell Health. By: katherine dailey - may 26, 2026 1:50 pm. Around 7 million people are likely at risk of being kicked off Medicaid due to the end of pandemic-era benefits, according to early estimates from federal officials. Getty Images Corewell Health, one of Michigan's largest healthcare systems with 21 medical facilities statewide - encompassing more than 5,000 hospital beds and 60,000 employees - is being sued along with Delaware-based debt collection agency DCM Services, LLC in federal district court for allegedly trying to collect millions of dollars in medical bills that were already paid through insurance and government programs. The lawsuit, a class-action suit filed Friday in U.S. District Court in Detroit, alleges that Corewell and DCM engaged in fraud and violated state debt collection and consumer protection laws, among other claims. That practice, which the complaint calls "balance billing," means that Corewell Health "submits claims for payment to insurers, group health plans, Medicare, or Medicaid and accepts reduced payments under negotiated agreements and governing law as payment in full for covered services." Legally, the complaint continues, after accepting those claims, Corewell "cannot bill, charge, collect from, seek compensation, remuneration or reimbursement from, or have any recourse against the patient for covered medical services." The complaint alleges balance billing is a "routine and systematic practice" of Corewell Health, listing 19 hospitals where the plaintiffs allege the practice is being used, ranging from Big Rapids in West Michigan to a number of hospitals in Wayne County. Neither Corewell Health nor DCM Services, LLC responded to requests for comment by the time of publication. The lawsuit was brought by Michelle Rzanca as a personal representative for the estate of Jordan Field, a Michigan resident who died after receiving emergency medical services at Corewell Health Butterworth Hospital in Grand Rapids in March 2024. Corewell billed over $61,600 for the medical services that he received before entering a payment contract with his insurer, Blue Cross Blue Shield PPO. Among the exhibits in the complaint is a copy of a billing statement from the hospital noting a payment of $19,448.92 listed as "Contractual Adjustment (Insurance)." Despite that payment, the complaint states that Corewell Health claimed that the Field Estate still owed it a debt of $42,160.70 for the remaining unpaid balance, referring that debt to DCM Services for collection. "The contract prohibited Defendant Corewell from holding a BCBS-insured patient liable for any payment or fees that were the legal obligation of BCBS. Defendant Corewell could not bill, charge, collect from, seek compensation, remuneration or reimbursement from, or have any recourse against an insured patient for a covered medical service," the complaint states.

Thousands of Corewell Health patients affected by 2024 vendor data breach | FOX 2 Detroit. Source originally from "thousands of Corewell Health patients affected by 2024 vendor data breach | FOX 2 Detroit" by FOX 2 Detroit - view original. Vendor breach cascade in healthcare: Corewell Health exposes contractual notification and due diligence gaps. Why this matters at governance level. The 2024 breach affecting approximately 19,000 Corewell Health patients through former vendor Pinnacle Holdings represents more than an isolated security incident. It exposes a structural governance failure in how healthcare organizations manage third-party risk, enforce contractual accountability, and allocate breach response liability. This case illustrates that despite HIPAA requirements and emerging regulatory frameworks like NIS2, healthcare supply chains remain inadequately protected through contractual mechanisms, vendor segmentation controls, and post-breach liability allocation. For boards and compliance officers, the incident underscores a critical gap: vendor risk assessments often lack enforcement teeth, and breach response protocols frequently fail to define who bears notification costs, regulatory exposure, and patient remediation expenses. Contractual vendor risk assessment: the enforcement gap. Corewell Health's reliance on Pinnacle Holdings for healthcare consulting services created a data exposure pathway that contractual controls should have prevented or mitigated. The breach - which compromised names, contact information, Social Security numbers, medical records, and insurance details for 19,000 patients - suggests that vendor access controls were either inadequately specified in the contract or insufficiently enforced operationally. Healthcare organizations typically maintain vendor risk assessment frameworks, but these assessments often remain static documents that do not translate into binding contractual language requiring continuous security validation, incident response planning, or technical control verification. The Corewell case indicates that a consulting vendor retained access to comprehensive patient datasets beyond what contracted services required. This represents a preventable control failure: organizations should implement data segmentation policies limiting vendor visibility to production systems and enforce contractual data retention clauses requiring deletion upon service termination. Many healthcare contracts lack explicit language defining what data the vendor may access, how long it may retain that data, and what happens to it when the relationship ends. Notification complexity and liability allocation ambiguity. When Pinnacle Holdings discovered the breach, the notification cascade created multiple governance challenges. Corewell Health faced obligations under HIPAA breach notification rules, state-specific data protection laws, and potentially GDPR if any affected individuals were EU residents. Yet many healthcare organizations lack contractual language explicitly assigning vendor responsibility for breach notification expenses, regulatory response coordination, and liability allocation. The Corewell case shows that notification occurred via mail and included offers of free credit monitoring and identity protection services - costs that may or may not have been contractually allocated to the vendor. This ambiguity creates post-breach disputes that delay patient communication, complicate regulatory reporting, and expose the primary provider to enforcement action. Healthcare organizations should audit vendor contracts for explicit indemnification clauses requiring vendors to fund breach response costs, maintain cyber liability insurance with minimum coverage limits, and assume responsibility for regulatory fines and penalties resulting from their negligence. Without such language, the primary provider absorbs costs that should be borne by the vendor. Supply chain data segmentation: A systemic weakness. The Pinnacle Holdings breach reveals a systemic weakness in how healthcare organizations implement data access controls across their vendor ecosystem. A consulting vendor should access only data required to perform contracted services - not comprehensive patient records spanning medical history, insurance details, and Social Security numbers. The concentration of 19,000 affected patients through a single vendor relationship suggests inadequate data segmentation at the application and database level. Many healthcare organizations fail to implement role-based access controls limiting vendor visibility to specific data fields or enforce contractual restrictions on data copying, exporting, or transferring to third-party systems. This represents a preventable control failure that extends beyond the vendor's security posture to the primary provider's own data governance. Organizations should conduct data flow audits identifying what information each vendor actually requires, implement technical controls restricting access to those specific datasets, and enforce contractual language prohibiting vendors from aggregating or retaining data beyond service delivery requirements. Regulatory escalation and insurance coverage gaps. Corewell Health faces potential enforcement action from multiple regulatory bodies: state attorneys general, the HHS Office for Civil Rights, and state insurance commissioners. The organization must demonstrate that it exercised reasonable diligence in vendor selection, maintained contractual safeguards, and enforced vendor compliance. Yet many healthcare organizations lack cyber liability insurance policies that adequately cover third-party breach scenarios, or they maintain policies with exclusions that limit coverage when vendors are involved. Contractual language requiring vendors to indemnify the primary provider, maintain cyber liability insurance with minimum coverage limits, and fund breach response costs is often absent or unenforceable. Organizations should audit vendor contracts for explicit indemnification clauses, verify that vendors maintain active cyber liability insurance, and ensure that breach cost allocation mechanisms are clearly defined. Additionally, healthcare organizations should review their own cyber liability policies to confirm coverage for vendor-related breaches, including notification costs, regulatory fines, and remediation expenses. Without such protections, the primary provider absorbs financial and reputational risk that should be distributed across the vendor and insurance markets. Cybersol's perspective: systemic governance gaps remain unresolved. The Corewell Health breach is representative of a broader pattern in healthcare vendor governance: contractual frameworks exist, but enforcement mechanisms remain weak. Organizations often maintain vendor risk assessment templates that check compliance boxes without translating those assessments into binding contractual language with measurable performance requirements, breach notification protocols, and liability allocation mechanisms. The incident also highlights an underexplored governance gap: many healthcare organizations lack visibility into what data their vendors actually access and retain. Data flow mapping exercises - which identify what information each vendor requires and implement technical controls restricting access - remain uncommon despite their criticality to supply chain risk management. Additionally, cyber liability insurance coverage for vendor-related breaches is often inadequate or excluded, leaving primary providers exposed to costs that should be transferred to insurance markets. Healthcare boards should demand that compliance teams conduct comprehensive vendor contract audits, implement data segmentation controls, and verify cyber liability insurance coverage for third-party breach scenarios. The regulatory environment is shifting: NIS2 and emerging healthcare-specific frameworks will increase enforcement pressure on primary providers to demonstrate vendor accountability through contractual mechanisms and operational controls. Closing reflection. The Pinnacle Holdings breach affecting Corewell Health patients illustrates that vendor risk governance in healthcare remains inadequately enforced despite regulatory requirements. Organizations should review the original FOX 2 Detroit reporting for full context on breach discovery, notification timeline, and patient communication protocols. More importantly, healthcare organizations should conduct immediate audits of vendor contracts, data access controls, breach notification clauses, and cyber liability insurance coverage. The incident demonstrates that contractual vendor risk management - including explicit indemnification language, insurance verification requirements, and breach cost allocation mechanisms - remains a critical governance priority that many organizations continue to overlook.