Clarkston Chiropractic Sports & Wellness Data Breach: 2,757 Patients Affected in Michigan

A significant healthcare data breach has impacted Clarkston Chiropractic Sports & Wellness in Michigan, affecting 2,757 patients. The incident, reported to the Department of Health and Human Services on June 11, 2025, involved a hacking/IT incident that compromised the practice's network server.

What Happened

Clarkston Chiropractic Sports & Wellness experienced a cybersecurity incident that resulted in unauthorized access to their network server. The breach was classified as a hacking/IT incident, indicating that cybercriminals gained unauthorized access to the healthcare provider's digital systems.

The incident involved a business associate, which is common in healthcare data breaches. Under HIPAA regulations, business associates are third-party vendors that handle protected health information (PHI) on behalf of covered entities. This could include IT service providers, cloud storage companies, billing services, or other technology vendors.

While the specific details of how the breach occurred have not been disclosed, network server compromises typically involve:

• Malware infections through phishing emails or malicious downloads
• Ransomware attacks that encrypt and steal data
• Credential theft through password attacks or social engineering
• Unpatched software vulnerabilities exploited by attackers

Who Is Affected

The breach impacts 2,757 individuals who were patients of Clarkston Chiropractic Sports & Wellness. This represents a significant portion of the practice's patient base and affects residents primarily in Michigan and surrounding areas.

Patients who received services from the practice should assume their information may have been compromised and take appropriate protective measures.

Breach Details

Key Facts:

• Entity: Clarkston Chiropractic Sports & Wellness
• Location: Michigan
• Entity Type: Healthcare Provider (Chiropractic Practice)
• Individuals Affected: 2,757
• Breach Type: Hacking/IT Incident
• System Compromised: Network Server
• Report Date: June 11, 2025
• Business Associate Involvement: Yes

The breach occurred on the practice's network server, which typically stores various types of patient information including:

• Patient names and contact information
• Social Security numbers
• Insurance information
• Medical records and treatment history
• Payment and billing information
• Appointment scheduling data

Under 45 CFR § 164.404 of the HIPAA Breach Notification Rule, covered entities must report breaches affecting 500 or more individuals to HHS within 60 days of discovery. The June 11, 2025 report date suggests the breach was likely discovered in April 2025.

What This Means for Patients

If you're a patient of Clarkston Chiropractic Sports & Wellness, this breach could have several implications:

Immediate Risks

• Identity theft using stolen personal information
• Medical identity theft where criminals use your health information for fraudulent medical services
• Insurance fraud using your insurance information for unauthorized claims
• Financial fraud if payment information was accessed

Long-term Concerns

• Your protected health information (PHI) may be sold on dark web marketplaces
• Potential for targeted phishing attacks using your personal information
• Risk of discrimination if sensitive medical information becomes public

Legal Rights

Under HIPAA's Breach Notification Rule (45 CFR § 164.404-414), affected patients have the right to:

• Receive individual notification within 60 days of breach discovery
• Be informed about what information was involved
• Understand what the entity is doing to investigate and mitigate the breach
• Learn what steps they can take to protect themselves

How to Protect Yourself

If you're affected by this breach, take these immediate steps:

Monitor Your Accounts

• Review medical insurance statements for unauthorized services
• Check credit reports from all three bureaus (Equifax, Experian, TransUnion)
• Monitor bank and credit card statements for suspicious activity
• Set up account alerts for unusual activity

Consider Credit Protection

• Place a fraud alert on your credit reports
• Consider a credit freeze to prevent new accounts from being opened
• If Social Security numbers were involved, monitor for Social Security fraud

Healthcare-Specific Actions

• Review Explanation of Benefits (EOB) statements carefully
• Contact your insurance company if you notice unfamiliar medical claims
• Keep records of all medical appointments and treatments for comparison

Stay Vigilant

• Be wary of phishing emails or calls requesting personal information
• Don't click on suspicious links or download unexpected attachments
• Verify the identity of anyone requesting your health information

Prevention Lessons for Healthcare Providers

This breach highlights critical cybersecurity challenges facing healthcare providers:

Business Associate Management

The involvement of a business associate underscores the importance of:

• Thorough vetting of third-party vendors
• Comprehensive Business Associate Agreements (BAAs) as required by 45 CFR § 164.502(e)
• Regular security assessments of business associates
• Clear incident response procedures involving business associates

Network Security Best Practices

• Regular security updates and patch management
• Multi-factor authentication for all system access
• Network segmentation to limit breach impact
• Continuous monitoring for suspicious activity
• Employee cybersecurity training to prevent social engineering attacks

HIPAA Compliance Requirements

Healthcare providers must maintain:

• Administrative safeguards (45 CFR § 164.308)
• Physical safeguards (45 CFR § 164.310)
• Technical safeguards (45 CFR § 164.312)
• Regular risk assessments as required by 45 CFR § 164.308(a)(1)

The HIPAA Security Rule requires covered entities to conduct regular risk assessments and implement appropriate safeguards based on their size, complexity, and technical capabilities.

Moving Forward

This breach serves as another reminder of the persistent cybersecurity threats facing healthcare organizations. With healthcare data breaches increasing in frequency and severity, both providers and patients must remain vigilant.

Patients should expect to receive individual notification letters from Clarkston Chiropractic Sports & Wellness within 60 days of the breach discovery, providing more specific details about what information was involved and what protective services may be offered.

Healthcare providers should use this incident as an opportunity to review their own cybersecurity postures and ensure they're meeting all HIPAA compliance requirements, particularly regarding business associate relationships and network security.

Healthcare cybersecurity requires ongoing attention, regular updates, and comprehensive training. The cost of prevention is significantly lower than the cost of a data breach, which can include regulatory fines, legal costs, notification expenses, and long-term reputation damage.

Learn how HIPAA Agent can help protect your practice.