Lansing, MI - Michigan Attorney General Dana Nessel is sharing consumer protection reminders following a ransomware attack at Grand Blanc, MI-based McLaren Health Care that could affect large numbers of patients.
Ransomware is a form of malware that can disable a company’s entire network. The cybercriminal typically steals data from the system before encrypting the network. The stolen data is held hostage until the ransom is paid.
Cybercriminal gang ALPHV (or BlackCat) has claimed responsibility for the theft of the sensitive personal health information (PHI) of 2.5 million McLaren patients. This group has also been linked to the MGM Resorts and other cyberattacks. In a message posted on the dark web last week, ALPHV claimed the McLaren data was on the dark web and would be released in a few days unless a ransomware payment was received.
“This attack shows, once again, how susceptible our information infrastructure may be,” Nessel said. “Organizations that handle our most personal data have a responsibility to implement safety measures that can withstand cyber-attacks and ensure that a patient’s private health information remains private.”
The actual number and identity of affected patients is unknown, as is the type of PHI. McLaren has acknowledged the ransomware attack in media interviews, saying it was “…investigating reports that some of [its] data may be available on the dark web and will notify individuals whose information was impacted, if any, as soon as possible.” McLaren also said it had found no evidence to suggest the group still has access to its IT systems. The healthcare provider has retained security experts and is in touch with law enforcement.
McLaren reportedly detected suspicious activity in its IT systems in August and later confirmed the ransomware attack. Its computer network was taken offline while the incident was investigated. This caused disruption across its healthcare facilities, although healthcare services continued to be provided at all locations and patient care was unaffected.
“Time is of the essence when a breach occurs to ensure affected individuals can take the necessary steps to protect their identities,” Nessel continued. “The Department’s website contains important measures for residents who believe their information may have been compromised.”
McLaren Health Care is a 15-hospital integrated healthcare system based in Grand Blanc, Michigan. Among its facilities is Michigan’s largest network of cancer centers and providers.
Data breaches involving PHI are required to be reported to the U.S. Department of Health & Human Services - Office for Civil Rights (hhs.gov) by HIPAA-covered entities. The report portal is searchable by state (where the entity is located). Since June 2023, the portal shows data breaches impacted the PHI of approximately 185,277 individuals. That number does not include McLaren.
Besides taking steps to protect your medical information, it is important to know the warning signs when someone is using your medical information. The signs include:
- a bill from your doctor for services you did not receive;
- errors in your Explanation of Benefits (EOB) statement like services you never received or prescription medications you don’t take;
- a call from a debt collector about a medical debt you don’t owe;
- medical debt collection notices on your credit report that you don’t recognize;
- a notice from your health insurance company indicating you have reached your benefit limit; or
- you are denied insurance coverage because your medical records show a pre-existing condition you don’t have.
Cyberattacks in the healthcare sector have increased in recent years and the severity of healthcare data breaches is increasing. The largest data breach so far in 2023 compromised more than 8 million records. Of the eleven biggest data breaches of 2022, 8 occurred at hospitals or health systems. Ransomware is one of the most common attack vectors against healthcare organizations. The FBI received 870 complaints of ransomware attacks last year -- 210 from healthcare entities, more than any other sector.
The healthcare industry is one of the industries most likely to be targeted by cyber-attacks because of the sheer volume of protected health information stored on its systems. Healthcare data breaches are very expensive to remedy, with the average breach costing more than $11 million.
If you receive a notification letter or hear news about a data breach at one of your medical providers, take these steps to secure your medical and financial accounts:
- Change the passwords on medical portals that you use.
- Check EOBs from your insurers carefully.
- Contact your bank and credit card issuers and ask them to put an alert on your accounts.
For more information on how to respond to data breaches, read Nessel's Data Breaches: What to do Next Consumer Alert.