Sturgis Hospital has disclosed two separate cyberattacks that exposed sensitive data of 77,771 patients after unauthorized parties breached the Michigan facility's computer networks in December 2024 and June 2025. The rural hospital, which recently became Michigan's first Rural Emergency Hospital, confirmed that attackers accessed names, Social Security numbers, medical records, and financial information during the incidents, raising concerns about the vulnerability of smaller healthcare facilities to sophisticated cyber threats.
Read more: What is Google's rural healthcare cybersecurity initiative?
On December 11, 2024, Sturgis Hospital detected unauthorized activity within a portion of its computer network. The hospital immediately engaged third-party cybersecurity experts to investigate and contain the breach, which lasted until December 17, 2024. While that investigation was still underway, the facility discovered a second wave of unauthorized activity in June 2025, prompting a separate investigation.
Both investigations revealed that unauthorized third parties had potentially accessed or acquired files containing patient and employee information. The breaches exposed personally identifiable information (PII), including names, contact details, Social Security numbers, and bank account numbers, as well as protected health information (PHI) such as health insurance details, prescriptions, treatment records, and other clinical data. The hospital notified affected individuals on September 18, 2025, nine months after the initial breach.
The dual breaches at Sturgis Hospital show the cybersecurity risks facing rural healthcare facilities, which often operate with limited IT resources while maintaining the same regulatory obligations as larger health systems. Rural hospitals serve communities where patients may have fewer healthcare alternatives, making operational disruptions from cyberattacks damaging.
The nine-month delay between the initial breach and notification raises questions about detection capabilities and incident response protocols at smaller healthcare facilities. This extended timeline gave criminals substantial opportunity to monetize stolen data through identity theft, insurance fraud, or sale on dark web marketplaces before victims could take protective measures.
Learn more: Why rural hospitals face greater cyberattack risks
The occurrence of two separate breaches within six months suggests either persistent targeting by cybercriminals or significant unresolved vulnerabilities in Sturgis Hospital's security infrastructure. The second breach occurring while the first was still under investigation indicates that initial remediation efforts may have been incomplete or that attackers maintained persistent access through backdoors established during the first incident.
The timing is particularly notable given Sturgis Hospital's recent milestone achievement as Michigan's first Rural Emergency Hospital, a federal designation aimed at preserving emergency services in rural communities. This status brings additional federal funding but also potentially makes the facility a more attractive target for financially motivated cybercriminals.
Sturgis Hospital stated in their breach notice, "We determined that an unauthorized third party potentially accessed or acquired a limited amount of personal information on our patients and employees."
They further noted, "We worked with third-party experts to address these events, perform an investigation into the unauthorized activity, and further secure our systems to protect information. We also notified law enforcement, which did not delay this notice."
PII (personally identifiable information) includes data like names, Social Security numbers, and financial accounts that can identify anyone. PHI (protected health information) is health-specific data protected under HIPAA.
A threat actor is any individual or group attempting unauthorized access to computer systems.
Remediation involves fixing vulnerabilities, removing attacker access, and strengthening security after a breach.