Cyber Incident Victim: McKenzie Health System

On or around April 7, 2022, Avos Locker ransomware operators claimed responsibility for an attack on McKenzie Health System, a Michigan-based healthcare provider. The group listed the organization on their data leak site, providing limited proof of claim that included at least one file containing health insurance information, which constitutes protected health information (PHI). The evidence presented by the attackers did not strongly demonstrate acquisition of substantial sensitive data. McKenzie Health System had no public statements regarding the incident on its website at the time of initial reporting and did not respond to inquiries from DataBreaches.net seeking confirmation or denial of the breach. This lack of public acknowledgment persisted for over a month following the ransomware group's disclosure.

McKenzie Health System eventually reported the incident to the U.S. Department of Health and Human Services (HHS) on May 10, 2022, disclosing that the breach affected 25,318 patients. The organization mailed notification letters to impacted individuals and published a notice on its website the same day as the HHS filing. McKenzie's public notice omitted any reference to ransomware involvement or prior data exfiltration by threat actors, despite Avos Locker's earlier leak site publication. The compromised data included PHI in the form of health insurance information, though the full scope of accessed records remained unspecified in available disclosures. No operational disruptions or system restoration timelines were detailed in McKenzie's communications, nor did the organization confirm whether any data was actually published by the attackers following their initial leak site posting.