McLaren Health Care is in the process of writing to 743,131 individuals now that it fully understands the impact of its July 2024 cyberattack.
The attack was carried out on Karmanos Cancer Institute, an independent organization that’s part of McLaren’s network, on July 17, 2024, but was not detected until August 5, according to the letters being sent to affected individuals.
Filing the breach notification with Maine’s attorney general on behalf of Karmanos, McLaren did not mention the involvement of ransomware by name, but the attack was claimed by INC in August, at which time social media users posted what appeared to be printed ransom notes.
McLaren refers to it only as a “cybersecurity attack” in its notification, one that compromised personal and protected health information.
The data types affected included:
- Names
- Social security numbers
- Driver’s license numbers
- Medical information
- Health insurance information
“Upon discovering the event, McLaren moved quickly to investigate and respond to the incident, assess the security of McLaren systems, and identify potentially affected individuals,” the letters stated. “McLaren is also working to implement additional safeguards and training to its employees.”
McLaren did not apologize to the affected individuals in the letter, but assured them there is no evidence the data stolen during the attack has been abused, and offered 12 months’ worth of free credit monitoring.
The Michigan-based healthcare company is worth a self-reported $7.3 billion and encompasses 12 hospitals across the state, as well as ambulatory surgery centers, imaging centers, pharmacy services, clinical lab network, and more.
Its website claims to also oversee a medical malpractice insurance company, and commercial and Medicare HMOs covering more than 732,838 people across Michigan and Indiana.
The attack on Karmanos, located in Detroit, was the second major data security incident affecting McLaren in 12 months, with the previous one occurring in July 2023.
The earlier attack targeted the healthcare network itself and was claimed by the now-shuttered ALPHV/BlackCat group around the same time it was also linked, in part, to the spate of hits on Las Vegas casinos.
Following the ransomware crooks’ claims, McLaren disclosed its side of things with Maine’s attorney general, revealing the affiliates responsible hung around, undetected, on its network for almost a month.
“On or about August 22, 2023, we became aware of suspicious activity related to certain McLaren computer systems,” it said at the time. “We immediately launched an investigation with the assistance of third-party forensic specialists to secure our network and to determine the nature and scope of the activity.
“Through the investigation, it was determined that there was unauthorized access to McLaren’s network between July 28, 2023, and August 23, 2023. On August 31, 2023, we learned the unauthorized actor had the ability to acquire certain information stored on the network during the period of access.”
ALPHV/BlackCat claimed to have stolen data belonging to 2.5 million people, although the real number was a little less. McLaren confirmed the final count was 2,192,515.
That data included:
- Names
- Social security numbers
- Health insurance information
- Dates of birth
- Billing or claims information
- Diagnoses
- Physician information
- Medical record numbers
- Medicare/Medicaid information
- Prescription/medication information
- Diagnostic and treatment information
Michigan’s attorney general at the time, Dana Nessel, said: “This attack shows, once again, how susceptible our information infrastructure may be. Organizations that handle our most personal data have a responsibility to implement safety measures that can withstand cyberattacks and ensure that a patient’s private health information remains private.”
McLaren has not faced any regulatory penalties following either of its attacks, although data protection lawyers can smell blood.
Several law firms have already announced investigations into the company and are appealing for individuals to join their class action against McLaren.
The Register asked McLaren and Karmanos for additional information but neither responded immediately. ®
