McLaren Health Care Suffers Second Major Cyberattack in a Year
Earlier this month, McLaren Health Care in Michigan announced it had fallen victim to a cyberattack that disrupted its IT systems and operations at 13 of its hospitals and healthcare facilities. Some of those facilities diverted ambulances to other facilities due to the lack of access to patient records, and appointments were canceled due to the inability to access radiology and lab test reports and orders for additional testing and procedures.
This attack was conducted by INC Ransom, a ransomware group that has conducted several attacks on the healthcare and public health (HPH) sector since its emergence in July 2023. INC Ransom is known to engage in double extortion, stealing data in addition to encrypting files. Victims are told they must pay for the decryption keys and to prevent the leaking of the stolen data. INC Ransom claims to have stolen patient data in this attack, but that has yet to be confirmed by McLaren Health Care.
This was the second cyberattack to hit the health system in the past year. In August 2023, McLaren Health Care identified a cyberattack, and a month later the ALPHV/Blackcat ransomware group announced it was behind the attack. The group claimed to have stolen 6 terabytes of data from McLaren Health Care including the data of 2.5 million patients. The size of that data breach has yet to be confirmed, as the HHSโ Office for Civil Rights breach portal still shows the data breach as affecting 501 individuals. A placeholder used to meet the breach reporting deadline when the total number of affected individuals is not yet known.
While no evidence has been found linking the two attacks, that does not necessarily mean that there is no link whatsoever. ALPHV/BlackCat and INC Ransom are not known to work together, but it is common for victims of ransomware and extortion incidents to be hit more than once. Cybercriminal groups may work with each other and ransomware-as-a-service affiliates may work with more than one ransomware group.ย It is possible that access is gained through malware infections that go undiscovered, with threat actors retaining access to a network allowing them to conduct further attacks. Additionally, any organization that pays a ransom demand marks itself as a target for other groups, as if they paid once, they may be willing to pay again. McLaren Health Care has not disclosed whether a ransom was paid in either attack. A spokesperson for McLaren Health Care said these two cyberattacks are unrelated, and it is possible that two attacks in a year is simply bad luck.
The latest attack prompted Michigan Attorney General Dana Nessel to issue a warning to state residents about the risk of misuse of their data. While the extent of any data theft has yet to be determined, Michiganders have been warned to be vigilant and look for signs of misuse of their information. For example, bills from doctors for services that have not been received, calls from debt collectors about medical bills that are not owned, errors in Explanation of Benefits statements from insurers, insurance coverage denial notices for pre-existing medical conditions they do not have, and notices from health insurers saying benefits limits have been reached.
This is one of several cyberattacks on Michigan healthcare providers in the past few months. Ascension, which operates 15 hospitals in Michigan, was the victim of a ransomware attack that was detected in early May and Michigan Medicine fell victim to a cyberattack in May 2024. Between January 1, 2023, and July 19, 2024, 30 data healthcare breaches have been reported to the HHS’ Office for Civil Rights by Michigan healthcare organizations, involving the protected health information of at least 2,545,921 individuals.