All 13 McLaren hospitals and their ancillary facilities, including the Karmanos Cancer Institute facilities, are experiencing a common cyberattack. The McLaren IT systems are down and all of them are reduced to legacy paper systems:
McLaren confirms cyberattack across its 13 Michigan hospitals, physician network
By Kristen Jordan Shamus - August 6, 2024For the second time in a year, cybercriminals have attacked McLaren Health Care's technology platforms, the Grand Blanc-based health system said Wednesday afternoon, confirming the cause of a disruption earlier this week to all 13 of its Michigan hospitals, surgery, infusion and imaging centers along with its network of 113,000 medical providers throughout Michigan, Indiana and Ohio.
"McLaren Health Care can now confirm the disruption ... was the result of a criminal cyber attack," said a statement sent to the Free Press. "Our information technology team continues to work with external cyber security experts to analyze the nature of the attack and mitigate the impacts of the threat actors. At this time, we have not determined if any patient or employee data was compromised."
The disruption began early Monday, and crippled some parts of the system's operations.
For a short time, ambulances were diverted from McLaren Port Huron Hospital, and some appointments had to be canceled because physicians couldn't access radiology reports, lab test results or orders for additional testing and procedures.
"Immediately after becoming aware of the attack, our hospitals and outpatient clinics instituted downtime procedures to ensure care delivery within our facilities," the McLaren statement said. "Several information technology systems continue to operate in downtime procedures while we work to fully restore functionality to our system. We have policies and procedures in place and train for information technology disruptions. We are grateful for the response from our frontline caregivers and staff who have come together to provide care under these circumstances."
No estimate was given for how long the disruption will last, and spokesperson David Jones did not answer questions from the Free Press about whether this incident involved ransomware and whether it was related to last year's cyberattack from the ransomware gang known as BlackCat/AlphV.
"Currently, our facilities are largely operational and able to care for our communities and will continue to do so until operations are fully restored," the updated statement said. "Our emergency departments continue to be operational, most surgeries and procedures continue to be performed, and our physician offices continue to see as many patients as possible. During this time of limited access to our systems, and out of an abundance of caution, some non-emergent appointments, tests, and treatments are being rescheduled.
"In addition, we are also actively working with our vendor partners and insurance providers to ensure our supply chain is not impacted and insurance authorizations are processed for care and treatments."
About 730,000 people are enrolled in McLaren's insurance plans in Michigan and Indiana. It also provides hospice care and pharmacy services, and operates clinical laboratories.
More:McLaren Health Care's Michigan hospitals hit by 'disruption' to computer, phone systems
The health system advised patients to keep their previously scheduled appointments unless the medical provider asks them to reschedule. It also asked patients to bring paper copies of the following to all appointments:
- A list of current medications or prescription bottles
- Printed physician orders for imaging studies or treatments
- Printed results of recent lab tests, if available, via the McLaren or Karmanos patient portal
- A list of allergies
In late August 2023, McLaren shut down its computer network in response to a ransomware attack that potentially leaked patient data onto the dark web.
A ransomware gang known as BlackCat/AlphV claimed responsibility then, posting online that it stole 6 terabytes of McLaren's data, including the personal information of 2.5 million patients.
Cyberattacks and the data breaches that often accompany them are a growing problem in health care, not only exposing the protected health data of patients but also affecting the ability to provide health care.
More:Cyberattack hits Ascension hospitals' computer networks: 'It's affecting everything'
Last year alone, 725 data breaches were reported to the U.S. Department of Health and Human Services Office for Civil Rights and more than 133 million records containing protected health data were exposed, according to the HIPAA Journal.
A cybersecurity breach in May that struck all 140 Ascension hospitals in the U.S., including in Michigan, forced the Catholic, nonprofit health system to postpone or cancel some appointments, divert ambulances to other hospitals and cut off electronic access to medical records, lab test results, radiology imaging and even impaired the ability for doctors to issue medical orders.
Our feckless Attorney General hasn't been able to find or prosecute any of the cybercriminals who have made a mess of our health care system, but her office does offer advice to victims and potential victims:
AG Nessel Alerts Consumers of Ways to Protect Their Data After McLaren Cyber Attack
By Danny Wimmer - August 09, 2024
LANSING – Michigan Attorney General Dana Nessel is reminding residents about consumer protection tips in the wake of McLaren Health Care’s most recent IT disruption.“These events serve as a clear warning that our most private information is under constant threat from cybercriminals,” said Nessel. “I encourage everyone to be diligent in safeguarding their accounts and to be on the lookout for any indications of personal data exploitation. Unfortunately, at this time information is scarce as to what information may have been exposed. While more than 30 other states have laws requiring State notification of significant breaches, Michigan is not among them, and consumer protection agencies like ours often only learn of these attacks by media reporting.”
Nessel wants consumers to understand the importance of protecting their medical information after a data breach and to recognize the warning signs that may indicate someone is using their information. Affected individuals should watch out for:
- A bill from your doctor for services you didn’t receive.
- Errors in your Explanation of Benefits (EOB), like services you never received or medications you don’t take.
- Calls from debt collectors about medical bills you don’t owe.
- Medical debt collection notices on your credit report that you don’t recognize.
- A notice from your health insurance company saying you’ve reached your benefit limit.
- Denied insurance coverage due to a pre-existing condition you don’t have.
A statement on McLaren’s website indicates the disruption, which was reported on Tuesday, August 6, was the result of a “criminal cyber attack.” McLaren’s statement goes on to indicate its facilities are “largely operational,” but admits it has limited access to its systems.
In October of last year, McLaren was the victim of another attack by a cybercriminal gang known as BlackCat/AlphV, which claimed to have stolen the sensitive personal health information of 2.5 million McLaren patients. Approximately 2,148,749 Michigan residents were sent data breach notice letters advising that certain of their personal information may have been impacted.
McLaren Health Care is a 13-hospital integrated healthcare system based in Grand Blanc, Michigan. Among its facilities is Michigan’s largest network of cancer centers and providers.
If you receive a notification letter or hear about a data breach at one of your medical providers, take these steps to secure your medical and financial accounts:
- Change the passwords on any medical portals you use.
- Check your EOBs from insurers carefully.
- Contact your bank and credit card issuers to place an alert on your accounts.
For more information on how to respond to data breaches, read Attorney General Nessel's consumer alert, Data Breaches: What to Do Next.
If consumers are concerned that their data may have been impacted, they can also consider freezing their credit. A credit freeze prevents creditors—such as banks or lenders—from accessing individuals’ credit reports. This will stop identity thieves from taking out new loans or credit cards in consumer’s names because creditors will not approve their loans or credit requests if they cannot first access their credit reports. By law, a credit bureau must allow you to place, temporarily lift, or remove a credit freeze for free.
When consumers freeze their credit with each bureau, the bureaus will send them a personal identification number. The consumers can then use that PIN to unfreeze their credit if they want to apply for a loan or credit card. Consumers can also use the PIN to freeze their credit again after they have applied for loans or a new credit card.
Individuals will have to freeze their credit with each bureau: Experian, Equifax, and TransUnion.
- Equifax: +1 (888) 766-0008
- Experian: +1 (888) 397-3742
- TransUnion: +1 (800) 680-7289
Cyber attacks in the healthcare sector have been increasing, as well as the severity of the data breaches. The largest data breach in 2023 compromised over 8 million records. In 2022, eight out of the eleven biggest data breaches happened at hospitals or health systems.
Ransomware is one of the most common threats against healthcare organizations. The FBI received 870 complaints of ransomware attacks last year—210 of them from healthcare entities, more than any other sector.
The healthcare industry is highly targeted by cyber attacks because of the large amount of Personal Health Information stored on its systems. These data breaches are costly, with the average breach costing over $11 million to fix.
The McLaren attack comes only months after a ransomware attack on the St. Louis-based Catholic healthcare system Ascension, which operates 15 hospitals in Michigan, and only weeks after Michigan Medicine announced that up to 56,953 patients may have had some health information compromised when employee emails were hacked between May 23 and May 29, 2024.
McLaren has not provided a date for when its systems will be fully functional again.
McLaren Completes Its Internal Investigation
Ten months later, McLaren reveals 740,000 impacted by ransomware attack
A sign for McLaren Medical Laboratory in Flint, Michigan.
By Eli Newman - June 26, 2025* Last summer, hackers accessed sensitive patient information at McLaren Health Care, including medical records and Social Security numbers
* The 12 hospital system concluded an internal review of the cybersecurity breach on May 5 and recently started to inform affected individuals
* The breach was the second in two yearsAfter 10 months, McLaren Health Care has begun to notify more than 740,000 patients that had sensitive personal data and health records exposed during the hospital system’s August 2024 ransomware attack.
The extent of the data extortion scheme, which delayed critical care for chronically ill patients at the Karmanos Cancer Institute and facilities across the state, came to light in recent days as the 12-hospital system based in Grand Blanc posted notice on its website and informed state agencies about the incident.
The cyberattack revealed a range of private files to a group of hackers who use patient data as criminal collateral, including individual medical history, treatment information, Social Security numbers, health insurance and medication records.
Dave Jones, a spokesperson for McLaren, said the hospital system completed its internal investigation with a third-party forensic specialist on May 5 when it determined sensitive patient data had been illegally accessed.
He says the health care system has “followed all regulatory reporting guidelines.”
“Protecting the security and privacy of data in our systems is a top priority,” Jones told Bridge Michigan in an email.
“While there is no evidence of actual or attempted misuse of personal information as a result of the incident, McLaren has begun the process of notifying patients whose data may have been impacted by the event and offering complementary identity protection out of an abundance of caution.”
Federal law requires breaches of protected health information affecting more than 500 people to be reported "without unreasonable delay" and no later than 60 calendar days after discovery.
The US Department of Health and Human Services, which maintains a database of health record breaches required by law, had not posted McLaren’s most recent cybersecurity failure as of June 26.
The agency declined to comment to Bridge Michigan on McLaren.
The Michigan Attorney General’s Office did not respond to Bridge request for comment on the agency’s awareness of the breach or McLaren’s obligation to inform those impacted by the security failure.
It’s the second such ransomware attack for McLaren since October 2023, when the personal health information of at least 2.5 million patients were exposed by the hacker gang BlackCat/ALPHV.
In previous statements, Attorney General Dana Nessel said state law does not require companies to notify the government of significant data breaches, with her office generally learning about consumer-impacting cyberattacks through media reports.
According to the latest available data, the US Department of Health and Human Services Office of Civil Rights is currently reviewing 28 leaks in the state, including those at Michigan Medicine and Catholic Charities West Michigan.
The investigations cover more than 800,000 individuals.
Hacker threats
McLaren has not specified the actors behind the attack, or its response to the extortion scheme, but cybersecurity watchdogs have linked the ransomware breach to the Inc. Ransom cybergang.
Memos reportedly obtained by employees allege the hacker group wanted “nothing more than money” as part of the scheme.
Claudia Rast, a cybersecurity attorney with the Detroit-based law firm Butzel Long, said patient data from ransomware attacks generally end up on the dark web, where the records become available to anybody who wants to buy.
“It’s like a ‘Star Wars’ bar,” Rast told Bridge Michigan. “You don’t want to go there.”
The aftermath of a cyberattack is a “fairly chaotic situation,” Rast explained, with groups like McLaren working first to identify the vulnerabilities that lead to a breach before identifying what exactly was accessed during the hack.
Figuring out which data was taken by groups like Inc. Ransom and BlackCat/ALPHV requires extensive internal audits and data mining processes that often span weeks.
“The threat actors don't label with an Excel spreadsheet… what they took,” she said.
While companies generally employ legal counsel to ensure their compliance with state law and federal statutes like the Health Insurance Portability and Accountability Act and the Health Information Technology for Economic and Clinical Health Act, Rast says their biggest expense is usually the mailing campaigns that follow to inform impacted individuals.
“More often these days, companies have good backups, so they can restore their systems over time,” Rast said. “It's notification and the forensic work that seems to be the greater cost.”
What can patients do?
As part of its consumer alert, McLaren is urging patients to monitor and review their financial statements and insurance claims, offering free credit monitoring and services through the identity theft protection company IDX.
Credit freezes can also help stop identity theft, and companies like Equifax and TransUnion offer a one-year, free fraud alert to monitor for suspicious activity.
But consumer advocates, like Suzanne Bernstein with the privacy protection advocacy group the Electronic Privacy Information Center, worry that breaches like those experienced by McLaren risk “chilling access to health care” as hacking attacks become more frequent.
“We’re often seeing reporting of the breach of really sensitive health information from hospital systems,” said Bernstein. “There's just an increased amount of data collection, which only increases the risk that data has to unauthorized use or breach.”
Bernstein said she worries about a “broader societal harm” as more health information is digitized, advocating for “data minimization” — which requires entities to limit collection based on need.
She highlighted litigation targeting hospital systems’ use of cookies and third-party ad trackers as examples of efforts to challenge data sharing outside of the patient-provider relationship, and advocates for more robust state and federal law that protects health information.
“I think having sectoral but also comprehensive privacy, cybersecurity requirements on the federal level would be great,” Bernstein said. “I sympathize with the reaction of feeling a little helpless as one person compared to a much larger, broader system.”
Sponsors
Friends of MHF
Kirsten DeVries
Tom & Karen Nunheimer
Steve Ahonen
Ron & Faith Bosserman
Marlin & Kathy Klumpp
Sign Up for MHF Insights to keep up on the latest in Michigan Health Policy
