The McLaren Health Care data breach impacting nearly 2.2 million patient records is under investigation.
McLaren confirmed the intrusion and unauthorized data access after experiencing suspicious activity on its network, and the ALPHV/BlackCat ransomware group claimed responsibility for the apparent ransomware attack.
“On or about August 22, 2023, we became aware of suspicious activity related to certain McLaren computer systems,” McLaren posted on its website.
The healthcare service provider hired third-party cyber forensics experts to investigate the breach, secure the network, and assess the scope of the incident. McLaren confirmed unauthorized access to its network and that “information pertaining to certain individuals may have been included in the potentially impacted files.”
Based in Grand Blanc, Michigan, McLaren Health Care is a “fully integrated health care delivery system” with 15 hospitals. It employs over 28,000 employees and earned over $6 billion in revenue in 2022.
McLaren Health Care data breach exposed protected health information
In October, the Russian ALPHV/BlackCat ransomware gang claimed responsibility for the McLaren Health Care data breach and allegedly exfiltrated at least six terabytes of data.
Additionally, the gang published samples of the stolen patient data and threatened to leak the entire database of 2.5 million McLaren patients if a ransom was not paid. The group also said it was in touch with McLaren Health Care representatives, a claim that was neither confirmed nor denied.
Instead, McLaren Health Care said it was “…investigating reports that some of [its] data may be available on the dark web and will notify individuals whose information was impacted, if any, as soon as possible.”
Michigan Attorney General Dana Nessel also published a consumer alert warning that the McLaren Health Care data breach would affect large numbers of patients, potentially leading to misuse of personal information.
Based on McLaren’s investigation, an undisclosed threat actor breached its network and accessed certain patient information. According to a data breach notification filed with the Office of the Maine Attorney General, the data breach occurred between July 28, 2023, and August 23, 2023, and was discovered on October 10, 2023.
The healthcare service provider disclosed that the attacker accessed sensitive personal information, including names, dates of birth, and Social Security Numbers.Additionally, the threat actor accessed medical information, including diagnosis, treatment details, medical record numbers, health insurance information, and Medicare/Medicaid details.
The healthcare service provider however did not disclosed the attack vector or if the threat actor made any ransom demands.
McLaren Health Care said that they found no evidence that the attacker misused or sold the stolen patient data.
Additionally, the company offered 12 months of identity protection as a matter of precaution and advised the victims to remain vigilant for potential cyber attacks or fraud.
“This is a significant amount of information that was stolen by attackers, then exposed,” said Erich Kron, Security Awareness Advocate at KnowBe4. “Given the timing of the reported ransomware attack, this is likely the result of the organization not paying the cyber criminals the ransom they demanded.”
Darren Guccione, CEO and Co-Founder at Keeper Security, suggested raising the bar for organizations collecting sensitive information.
“Companies that are the custodians of this critical information require a much higher bar for security and monitoring than other types of organizations,” said Guccione. “The breach of McLaren Health Care highlights the need for healthcare organizations large and small to prioritize strengthening their cybersecurity posture,” noted Guccione.
Potential McLaren Health Care data breach lawsuit
Healthcare data breaches must be reported promptly to comply with privacy regulations and prevent the abuse of protected personal health information.
McLaren Health Care data breach was submitted to the U.S. Department of Health and Human Services Office for Civil Rights on October 20, 2023, and the company began notifying impacted individuals on November 9, 2023, approximately three months after the incident.
When the Michigan Attorney General published the consumer alert, she noted that the McLaren Health Care data breach was conspicuously missing from the list of reported cyber incidents.
“Since June 2023, the portal shows data breaches impacted the PHI of approximately 185,277 individuals. That number does not include McLaren,” the Michigan AG stated.
Similarly, Schubert Jonckheer & Kolbe LLP is investigating whether the McLaren Health Care data breach was properly handled, which could result in a class action lawsuit and potential victim compensation.
“Although the breach occurred over three months ago, McLaren only began notifying impacted patients on or around November 9, 2023, which may have violated state and federal laws,” the law firm stated. “As a result, you may be entitled to money damages and an injunction requiring changes to McLaren’s cybersecurity practices.”