McLaren Healthcare, based in Grand Blanc, Michigan, sent notification letters this month to 743,131 to patients whose personal information and protected health information were exposed during a ransomware incident that occurred between July 17 and Aug. 3, 2024.
WHY IT MATTERS
“The information that could have been involved includes name, Social Security number, driver’s license number, medical information and health insurance information,” according to data breach documents filed by McLaren.
After completing a forensic investigation on May 5, the Michigan-based health system said patients at its Karmanos Cancer Centers were also affected.
“McLaren has not publicly disclosed what types of data were compromised in the attack, but patients and staff should take steps to protect their finances and identities,” said Paul Bischoff, a consumer privacy advocate at Comparitech, a firm researching U.S. and UK cybersecurity and online privacy.
While McLaren did not name the threat actors in the letter, Bischoff said the alleged perpetrator, Inc Ransomware, has attacked many hospitals and clinics.
“They also have a lot of non-IT staff and internet-facing services, which give hackers more opportunities to break in through phishing and software vulnerabilities,” he said by email.
THE LARGER TREND
McLaren Healthcare’s delivery operations were disrupted after last year’s attack, with some elective surgeries postponed and providers manually updating charts.
However, platforms were restored ahead of schedule, with all functions at McLaren’s 13 hospitals, Karmanos Cancer Centers and outpatient clinics resuming operations across the state on Aug. 30.
McLaren was also attacked two years ago by the ALPHV/BlackCat ransomware group, which stole 2.2 million patients’ PHI during that incident.
Later that year, the FBI announced that it had shut down BlackCat by hacking into and seizing the Russia-based ransomware group’s darknet website and infrastructure.
But by February 2024, BlackCat claimed responsibility for exfiltrating 6TB of data in the crippling Change Healthcare attack, proving that threat actors will remain relentless in their pursuit of stealing valuable healthcare data.
In addition to potential HIPAA fines and related legal fees, ransomware has cost U.S. healthcare organizations $21.9 billion in downtime since 2018, Comparitech said in December.
ON THE RECORD
“Upon discovering the event, McLaren moved quickly to investigate and respond to the incident, assess the security of McLaren systems, and identify potentially affected individuals,” the notice said. “McLaren is also working to implement additional safeguards and training to its employees.”
Andrea Fox is senior editor of Healthcare IT News.
Email: [email protected]
Healthcare IT News is a HIMSS Media publication.
