McLaren Health Care Hack Affected Millions; Lawsuits Pile Up

McLaren Health Care is notifying 2.2 million individuals of a data breach weeks after ransomware group Alphv/BlackCat claimed to have stolen 6 terabytes of patient records in an August attack. In the meantime, the number of federal lawsuits filed against the Michigan-based healthcare system has more than doubled over the last month.

See Also: Live Webinar | Generative AI: Myths, Realities and Practical Use Cases

McLaren Health Care on Thursday reported the hacking incident to Maine’s attorney general as affecting nearly 2.19 million individuals, including 77 Maine residents.

The compromised information includes individuals’ name, Social Security number, health insurance information, birthdate, and medical information including billing or claims information, diagnosis, physician information, medical record number, Medicare/Medicaid information, prescription/medication information, diagnostic results and treatment information, McLaren said.

McLaren also reported the incident to federal regulators on Oct. 20 with a placeholder estimate of 501 individuals affected at that time. But based on McLaren’s current estimate of nearly 2.2 million individuals affected, the incident ranks among the top 10 largest U.S. health data breaches reported so far in 2023 that did not involve zero-day vulnerability exploitations of Progress Software’s MOVEit file transfer software.

Alphv/BlackCat on Sept. 29 boasted on its dark web site that it had stolen 6 terabytes of “sensitive data” pertaining to 2.5 million McLaren patients. The threat actor also claimed its “backdoor is still running” on McLaren’s network (see: Group Claims It Stole 2.5 Million Patients’ Data in Attack.

Meanwhile, the flurry of lawsuits against McLaren in the wake of the incident continues, as several more proposed federal class action claims have been filed in recent weeks, bringing the total number of cases to seven so far (see: McLaren Health Care Facing 3 Lawsuits in Ransomware Hack).

Like the earlier lawsuits filed against McLaren, the more recent litigation alleges similar claims, including that McLaren was negligent in failing to protect individuals’ sensitive health and personal information.

“As a result of Defendant’s ineffective and inadequate data security practices, the data breach and the foreseeable consequences of private information ending up in the possession of criminals, the risk of identity theft to the plaintiff and class members has materialized and is imminent,” alleges the lawsuit filed on Oct. 20 by plaintiff Tamyra Wells on behalf of herself and others similar affected.

“McLaren’s system lacked simple and almost universal security measures used by healthcare companies, such as storing data in secure, offline locations; encrypting private records and data; using up-to-date software equipped with standard security patches; using antivirus applications that block malicious code from external sources; and implementing policies requiring all workers with system access to use https protocols when using online tools,” alleges the lawsuit filed on Oct. 16 by plaintiff David Weathers on behalf of himself and others similarly situated.

The seven lawsuits filed so far all seek similar relief, including financial damages and an injunctive order for McLaren to improve its data security practices.

Breach Details

In its breach notice, McLaren said it had become aware of suspicious activity related to certain McLaren computer systems on Aug. 22. The entity said it had immediately launched an investigation with the assistance of third-party forensic specialists to secure its network and to determine the nature and scope of the activity.

The investigation found unauthorized access to McLaren’s network between July 28 and Aug. 23. On Aug. 31, McLaren learned that the hackers had the ability to acquire certain information stored on the network during the period of access.

McLaren said it is reviewing its existing policies and procedures and will implement additional administrative and technical safeguards to further secure its systems.

McLaren declined Information Security Media Group’s request for additional details pertaining to the incident, including whether employee information also had been compromised and whether the organization had paid a ransom to the cybercriminals.

Headquartered in Grand Blanc, Michigan, McLaren is a $6.6 billion, integrated healthcare delivery system with 13 hospitals. Among its dozens of other facilities, McLaren operates Michigan’s largest network of cancer centers and providers. Its Karmanos Cancer Institute is one of about 56 National Cancer Institute-designated comprehensive cancer centers in the U.S.

In January, Alphv/BlackCat was the subject of a U.S. Department of Health and Human Services warning to the healthcare sector (see: BlackCat, Royal Among Most Worrisome Threats to Healthcare).

Soon after the HHS warning, Alphv/BlackCat claimed a number of other healthcare sector victims, including an attack in February on Lehigh Valley Health Network, which operates 13 hospitals and numerous physician practices and clinics in eastern Pennsylvania.

Other Regional Attacks

McLaren is not the only Michigan-based healthcare organization dealing with the aftermath of a recent cybersecurity incident.

Michigan-based Munson Healthcare on Monday told ISMG that it is investigating a cybersecurity incident that on Oct. 12 prompted the temporary, localized shutdown of IT systems at its Otsego Memorial Hospital in Gaylord.

“This outage was isolated only to Gaylord and did not affect the rest of the healthcare system. Temporary downtime measures were utilized and patient care was not affected,” a Munson Healthcare spokesperson said.

“We are actively engaged with outside experts on our investigation, and it is not yet complete. At this time, we have no reason to believe patient data has been compromised,” the spokesperson said.