McLaren Health Care confirms ransomware attack, investigates hackers' threats to release data online

A 14-hospital system in Michigan said it is investigating reports that millions of its patients’ data “may be available on the dark web” following a security breach that reportedly affected its computer systems early last month.

In statements posted online late last week, a ransomware group said it successfully stole over six terabytes of data from “one of Michigan’s largest healthcare companies” with threats to publish “if our proposal is ignored.”

A follow-up message the next day specifically named McLaren Health Care and suggested that “the sensitive data of 2.5 million of their patients” could be at risk.

In a statement, McLaren Health Care confirmed it had “detected suspicious activity” on its computer network that was later determined to be a ransomware event. The Grand Blanc, Michigan-based organization had brought down its computer network at 14 of its locations in early September, when the Detroit Free Press reported that some employees were forced to communicate via personal phones.

A representative of McLaren told Fierce Healthcare that the system had “immediately launched a comprehensive investigation” of the suspicious activity, during which it “retained leading global cybersecurity specialists” and communicated with law enforcement.

The system said it has since taken other measures “to further strengthen our cybersecurity posture” and head off any disruptions to patients and communities it serves.

“We are investigating reports that some of our data may be available on the dark web and will notify individuals whose information was impacted, if any, as soon as possible,” the system said in a statement. “We want to assure our patients and the communities we serve that our systems remain operational, and we continue to provide the exceptional care for which we are known.”

McLaren Health Care operates 3,412 licensed beds, employs about 17,000 people full-time and covers more than 730,000 lives across its health maintenance organization plans, according to its website. It reported nearly $6.4 billion in net revenue during 2022.

Cybersecurity breaches ran healthcare organizations an average of $10.1 million per incident during 2022, a 9.4% increase over 2021 that’s well above what other sectors of the economy are forced to spend.

2023 has already claimed a handful of high-profile hospital breaches. Major for-profit hospital chain HCA Healthcare disclosed in July an 11 million-patient data breach, though it said during a recent earnings call that it does not expect the breach to have a material impact on its business.

Another attack that kicked off in early August forced Prospect Medical Holdings’ affiliate systems to take some computer systems offline and limit certain services. Reports during the subsequent weeks suggested lingering system disruptions, while multiple filings with state attorneys general submitted on Friday outlined personal data exposures for thousands of its employees and their dependents.