Ten months later, McLaren reveals 740,000 impacted by ransomware attack

• Last summer, hackers accessed sensitive patient information at McLaren Health Care, including medical records and Social Security numbers
• The 12 hospital system concluded an internal review of the cybersecurity breach on May 5 and recently started to inform affected individuals
• The breach was the second in two years

After 10 months, McLaren Health Care has begun to notify more than 740,000 patients that had sensitive personal data and health records exposed during the hospital system’s August 2024 ransomware attack.

The extent of the data extortion scheme, which delayed critical care for chronically ill patients at the Karmanos Cancer Institute and facilities across the state, came to light in recent days as the 12-hospital system based in Grand Blanc posted notice on its website and informed  state agencies about the incident.

The cyberattack revealed a range of private files to a group of hackers who use patient data as criminal collateral, including individual medical history, treatment information, Social Security numbers, health insurance and medication records.

Dave Jones, a spokesperson for McLaren, said the hospital system completed its internal investigation with a third-party forensic specialist on May 5 when it determined sensitive patient data had been illegally accessed. 

He says the health care system has “followed all regulatory reporting guidelines.” 

“Protecting the security and privacy of data in our systems is a top priority,” Jones told Bridge Michigan in an email. 

“While there is no evidence of actual or attempted misuse of personal information as a result of the incident, McLaren has begun the process of notifying patients whose data may have been impacted by the event and offering complementary identity protection out of an abundance of caution.”

Related:

• Michigan’s McLaren Health Care back to ‘normal operations’ after cyberattack
• Ascension, owner of 15 Michigan hospitals, confirms cyberattack was ransomware
• Michigan Medicine latest health care system to be hit by cyberattack

Federal law requires breaches of protected health information affecting more than 500 people to be reported "without unreasonable delay" and no later than 60 calendar days after discovery. 

The US Department of Health and Human Services, which maintains a database of health record breaches required by law, had not posted McLaren’s most recent cybersecurity failure as of June 26. 

The agency declined to comment to Bridge Michigan on McLaren.

The Michigan Attorney General’s Office did not respond to Bridge request for comment on the agency’s awareness of the breach or McLaren’s obligation to inform those impacted by the security failure.

It’s the second such ransomware attack for McLaren since October 2023, when the personal health information of at least 2.5 million patients were exposed by the hacker gang BlackCat/ALPHV.

In previous statements, Attorney General Dana Nessel said state law does not require companies to notify the government of significant data breaches, with her office generally learning about consumer-impacting cyberattacks through media reports.

According to the latest available data, the US Department of Health and Human Services Office of Civil Rights is currently reviewing 28 leaks in the state, including those at Michigan Medicine and Catholic Charities West Michigan. 

The investigations cover more than 800,000 individuals.

Hacker threats

McLaren has not specified the actors behind the attack, or its response to the extortion scheme, but cybersecurity watchdogs have linked the ransomware breach to the Inc. Ransom cybergang. 

Memos reportedly obtained by employees allege the hacker group wanted “nothing more than money” as part of the scheme.

Claudia Rast, a cybersecurity attorney with the Detroit-based law firm Butzel Long, said patient data from ransomware attacks generally end up on the dark web, where the records become available to anybody who wants to buy.

“It’s like a ‘Star Wars’ bar,” Rast told Bridge Michigan. “You don’t want to go there.”

The aftermath of a cyberattack is a “fairly chaotic situation,” Rast explained, with groups like McLaren working first to identify the vulnerabilities that lead to a breach before identifying what exactly was accessed during the hack. 

Figuring out which data was taken by groups like Inc. Ransom and BlackCat/ALPHV requires extensive internal audits and data mining processes that often span weeks.

“The threat actors don't label with an Excel spreadsheet… what they took,” she said.

While companies generally employ legal counsel to ensure their compliance with state law and federal statutes like the Health Insurance Portability and Accountability Act and the Health Information Technology for Economic and Clinical Health Act, Rast says their biggest expense is usually the mailing campaigns that follow to inform impacted individuals.

“More often these days, companies have good backups, so they can restore their systems over time,” Rast said. “It's notification and the forensic work that seems to be the greater cost.”

What can patients do?

As part of its consumer alert, McLaren is urging patients to monitor and review their financial statements and insurance claims, offering free credit monitoring and services through the identity theft protection company IDX.

Credit freezes can also help stop identity theft, and companies like Equifax and TransUnion offer a one-year, free fraud alert to monitor for suspicious activity.

But consumer advocates, like Suzanne Bernstein with the privacy protection advocacy group the Electronic Privacy Information Center, worry that breaches like those experienced by McLaren risk “chilling access to health care” as hacking attacks become more frequent.

“We’re often seeing reporting of the breach of really sensitive health information from hospital systems,” said Bernstein. “There's just an increased amount of data collection, which only increases the risk that data has to unauthorized use or breach.”

Bernstein said she worries about a “broader societal harm” as more health information is digitized, advocating for “data minimization” — which requires entities to limit collection based on need.

She highlighted litigation targeting hospital systems’ use of cookies and third-party ad trackers as examples of efforts to challenge data sharing outside of the patient-provider relationship, and advocates for more robust state and federal law that protects health information.

“I think having sectoral but also comprehensive privacy, cybersecurity requirements on the federal level would be great,” Bernstein said. “I sympathize with the reaction of feeling a little helpless as one person compared to a much larger, broader system.”