Cyber Incident Victim: McLaren Health Care

A ransomware attack targeted McLaren Health Care, impacting its network of 14 Michigan hospitals in late August and early September of 2023. The incident caused significant operational disruption, affecting billing systems and electronic medical records. This disruption forced workers at times to resort to using personal cellphones for communication. The criminal ransomware gang known as BlackCat, also referred to as AlphV, claimed responsibility for the cyberattack. The group posted online that it had successfully exfiltrated approximately six terabytes of data from McLaren's systems. This stolen data was claimed to include the personal information of an estimated 2.5 million patients. The group further boasted that the leak would be one of the biggest of all time and asserted that their backdoor remained active on the McLaren network, a claim the health care provider later disputed.

McLaren Health Care acknowledged the ransomware event and the potential for data exposure on the dark web. The organization stated that protecting the security and privacy of data in its systems is a top organizational priority. In response to the attack, McLaren immediately launched a comprehensive investigation to understand the source of the network disruption and to identify the scope of any potential data exposure. The health care system retained leading global cybersecurity specialists to assist in this investigation and has been in touch with law enforcement agencies. Measures were also taken to further strengthen its cybersecurity posture with a specific focus on securing systems and limiting disruption to patients and the communities it serves.

Regarding the claims made by the BlackCat/AlphV group, a spokesperson for McLaren stated that at least some of the assertions had not been corroborated by their investigation. Specifically addressing the gang's claim of an active backdoor, the spokesperson said that based on the current analysis conducted with their cybersecurity specialists, they did not see evidence to support this claim. McLaren did not provide answers to specific questions from the media about the exact date the cyberattack was first identified, the specific types of information stolen, or the precise number of patients and employees affected. The investigation into reports that some data may be available on the dark web was ongoing, and the organization committed to notifying individuals whose information was impacted as soon as possible.

The BlackCat/AlphV group is a criminal ring with ties to Russia that has been implicated in other ransomware attacks within the health care sector. Earlier in the same year, this group was responsible for an attack on a health system in Lehigh, Pennsylvania. The group's modus operandi involves exfiltrating data first and then using it for extortion purposes. In the Pennsylvania case, the bad actors directly targeted patients, threatening to leak sensitive medical information, such as mammograms, unless individual ransoms were paid. This tactic of directly extorting patients by threatening to release deeply personal and sensitive health information is considered particularly vicious and represents an escalation in the severity of health care-focused cyberattacks.

Health care providers like McLaren Health Care operate under strict federal regulations concerning data breaches. They are required to report any breach of protected health information to the U.S. Department of Health and Human Services as well as the Federal Trade Commission. The federal HIPAA Breach Notification Rule provides specific guidelines for public disclosure when personal health information is compromised. This rule mandates that health care providers disclose details of the breach within 60 days of its discovery. The required disclosures must include information on what types of information were compromised, what steps affected individuals should take to protect themselves, what is being done to investigate the breach, and provide relevant contact information. Furthermore, if a cyberattack affects 500 people or more, the health care provider is also required to notify a prominent media outlet within that same 60-day window.

The health care industry remains a prime target for cybercriminals. A report released in July by Trustwave, a Chicago-based cybersecurity company, found that nationally, 24% of all cyberattacks in the U.S. during 2022 targeted the health care sector. The financial impact of these breaches is substantial, with the average cost of a health care data breach in 2023 estimated to be approximately $11 million. This high cost reflects the severe operational disruption, the expense of investigation and remediation, potential regulatory fines, and the long-term reputational damage suffered by affected organizations. The McLaren Health Care incident exemplifies the ongoing and significant threat that ransomware groups pose to critical infrastructure, particularly within the health care system where the security of sensitive patient data and the continuity of medical services are paramount. The organization assured patients and the communities it serves that its systems remained operational and that it continued to provide the exceptional care for which it is known despite the challenges posed by the cyberattack.