- Contraception For Teens: Let's Talk About It
- Gounder Gives Lowdown on Ebola, Peptides, and Colorectal Screenings
- ASCO: Pfizer one-ups J&J with Talzenna combo's broad castration-sensitive prostate cancer win
- ASCO: With bispecifics on its heels, Incyte positions Monjuvi combo for first-line DLBCL
- 6 dental technology updates in May
- From clinician to leader: Building confidence, capability and leadership in dentistry
- Operationalizing AI at scale: A practical framework for enterprise-scale success
- 3 key stats on the orthodontist workforce
- Meet the COOs of 10 specialty DSOs
- Data, cross-training, and pipeline development: How health systems are rethinking OR staffing
- How top health systems are redefining the digital patient experience
- ‘The most significant change in 20 years’: Cancer centers prepare for daraxonrasib demand
- A Smooth Handoff From Decision to Dollars: Connecting the Last Mile in Healthcare Payments
- Budget-Strapped Montana Will Stress-Test Trump’s Medicaid Work Rules
- How CEOs actually use hospital rankings — and when they don’t
- What OU Health’s founding CEO learned building a new health system
- Arkansas hospital CEO to step down after 11 years for new role
- The behavioral health workforce pipeline: Where it stands and where it’s headed
- 6 major investments in youth behavioral health
- Coalition for Health AI unveils governance playbook for systems
- 66 health systems ranked by long-term debt
- UnitedHealthcare drops some prior auth requirements for cardiology, orthopedic services
- 8 No Surprises Act shake-ups physicians need to know
- The ASC independence playbook: 3 leaders’ thoughts
- Dr. Rahimah Maina opens new dental practice
- GWU offloaded its $450M physician group problem — why the industry watching
- The gastroenterologist pay gap
- Texas surgery center to double in size, add 2 ORs
- What dental leaders told us in May
- Climate Change: Statement on Proposed Rescission of Climate-Related Disclosure Rules
- Kenyan Court Blocks Trump's Plan To Quarantine Ebola Patients
- What’s going on at the FTC? 3 notes for ASC leaders
- 8 DSOs making headlines
- The physician noncompete battle in 5 key figures
- The physician red flags that can predict a bad ASC partner
- Patient death draws renewed CMS scrutiny at HCA’s Mission Hospital
- Nearly 70% of US counties lack a GI: 13 concerning workforce stats
- Statement of Commissioner Mark T. Uyeda on the Rescission of Climate-Related Disclosure Rules
- A new behavioral health profession is born
- Keynote Remarks at the 2026 Reagan National Economic Forum
- Statement on Proposing Release for Rescission of Climate-Related Disclosure Rules
- Dentists’ pay climbed the most in these 10 states
- Mental Health Disorders Now No. 1 Cause of Disability Worldwide
- Massachusetts AG sues UnitedHealthcare over alleged Medicaid fraud
- UnitedHealthcare to nix nearly two thirds of pediatric prior auths
- Industry Voices—Patients are building a new healthcare system. The industry is finally catching up
- Weekly Rundown—Moffitt Cancer Center expands Reimagine Care's virtual oncology model; Tanner Health deploys AI workforce solution
- Study: LA Canine Outbreak Caused By Low Vaccination Rates, Crowded Boarding
- Ocrelizumab Effective In Slowing Progressive MS, Trial Shows
- Long COVID Might Be Twice As Common As Previously Thought
- In Vaccine-Skeptical California County, A Potential Playbook To Contain Measles
- Heavy Drinking Harms College Students' Brain Power, Study Finds
- A Trump Stronghold Grapples With Health Risks of ICE Detention Sites
- After Her Bout of Amnesia, a $59,000 Billing Dispute Wouldn’t Go Away
- Pharma urged to modernize patient support as young adult cancer rates rise
- Philips adds a spoonful of Disney sugar to ease kids’ MRI anxieties
- MannKind seeks long-awaited sales boost with inhaled insulin approval for kids
- Aetna to launch ‘on demand’ virtual mental health services in 2027
- U of Connecticut dental school reappoints dean for 2nd term
- Michigan dentist charged with Medicaid fraud
- Brand-name drug prices climb after launch in US, fall abroad amid MFN push: report
- ASCO: After Takeda’s defeat, Dizal picks up baton to take on J&J in EGFR lung cancer subtype
- Acadia in the headlines: 6 things to know
- 26 behavioral health executive moves to know
- AstraZeneca gains 2nd bladder cancer nod in key expansion for Imfinzi
- Advocate Health grows Q1 revenue by 10.8% amid higher volumes, greater efficiency
- Behavioral health hospital operator to pay $32M in Medicare fraud settlement
- Bangladesh Measles Surge Kills 500+ Children; Vaccine Delays Blamed
- Care navigation startup Garner Health banks $100M series E at $2.74B valuation
- HCA bolsters workforce pipeline with healthcare professional college acquisition
- Plant-Based Diet May Cut Obesity Risk For Women In Menopause
- Pharma leaders meet with PM Takaichi in push for Japan to retain R&D edge
- Penn Medicine, K Health partner to deploy AI clinical agents
- CVS restores coverage of Eli Lilly obesity med Zepbound, adds new pill Foundayo
- CVS restores coverage of Eli Lilly obesity med Zepbound, adds new pill Foundayo
- CMS finalizes changes to No Surprises Act dispute resolution process
- Smartwatch App Accurately Detects Major Epileptic Seizures
- Racial Gap Exists For Asthma Inhaler Use
- New Colon Cancer Screening Guidelines Add Blood And At-Home Tests
- Fierce Pharma Asia—More China biotech hawkishness; Pfizer’s $10B Innovent deal; Astellas’ roadmap
- CVS expands partnership with Salesforce for greater call center personalization
- Nurse Convicted In Patient's Death Turns Fatal Drug Error Into Cautionary Tale
- Wearable Ultrasound Patch Monitors High-Risk Pregnancies In Real Time
- Listen to the Latest ‘KFF Health News Minute’
- In a Vaccine-Skeptical California County, a Potential Playbook To Contain Measles
- Teladoc Health inks partnership with Walmart to expand virtual care services
- PharmaEssentia taps Incyte alum Eric Vogel as it eyes Besremi expansion
- Kaléo speaks up on allergy awareness to amplify patient stories
- Privacy and PetShops: Remarks at the Regulatory PETshop Series: Cryptographic Technologies and Financial Services Regulation
- NYC Health + Hospitals adds 2nd behavioral health housing site
- Mindfulness isn’t a perk anymore — it’s a workforce strategy
- With Elahere building steam, AbbVie nets FDA nod for another ImmunoGen cancer asset
- Hospitals again ask FTC, DOJ for exemption from expanded premerger notification filings
- Coalition for Health AI unveils governance playbooks for responsible AI adoption
- Amazon taps Roy Schoenberg to lead healthcare business as Neil Lindsay plans to step down
- Viridian, awaiting FDA decision, taps WuXi Bio in eye drug supply deal
- U.S. To Keep Ebola-Exposed Citizens In Kenya Under New Policy
- CAT on a Hot Tin Roof
- GLP-1 Meds May Help Slow the Spread of Certain Obesity-Related Cancers
- GoodRx launches subscription program for low-cost generic medications, telehealth services
- George Washington University locks deal to hand off debt-ridden physician practice to UHS
- Humana invests $83M in new Florida pharmacy distribution center
- As J&J separates from its orthopedics business, it's laying off 56 employees in New Jersey
- ASCO preview: With expectations jacked up, Akeso's ivonescimab to face scrutiny in high-stakes plenary
- An insider’s look at LillyDirect
- GLP-1 manufacturer CordenPharma strikes deal for peptide CDMO, lining up new production sites in US and China
- Weight-Loss Program Helps Women Battling Breast Cancer
- Younger U.S. Women of Color Face Rising Breast Cancer Deaths
- High Fitness Doesn’t Raise A-fib Risk In Young Men, Study Finds
- Cheaper, Alternative Health Plans Are Having A Moment, But Critics Urge Caution
- Ultrafine Wildfire Smoke Particles May Pose Serious Health Risks
- Montana Hurries To Adopt Trump’s Medicaid Work Rules Amid Budget Woes
- Readers Address Drugged Driving, Suicide Prevention, Worker Shortages
- Nurse Convicted in Patient’s Death Turns Fatal Drug Error Into a Cautionary Tale
- Amid policy and pricing headwinds, US healthcare and life sci faces 'vast field of opportunity': survey
- Amid policy and pricing headwinds, US healthcare and life sci faces 'vast field of opportunity': survey
- Biogen investigated by Italian regulator over multiple sclerosis ‘market abuse’ claims
- FDA delays ruling on AstraZeneca’s breast cancer drug after negative adcomm vote
- Eli Lilly wins argument over Noom’s GLP-1 dosing claims
- Remarks at the Stanford Rock Center for Corporate Governance
- Smart ring maker Oura files confidentially for IPO as consumer demand propels revenue growth
- Outlook moves toward potential US nod for thrice-snubbed eye drug with FDA appeal win
- JD Power: Cost pressures worsen member experience with commercial plans
- Trump Admin Bars Key U.S. Researchers From Global Virus Response Talk
- Listen to the Latest ‘KFF Health News Minute’
- As calls for COINS Act expansion grow, will new rules sweep up China biotech licensing?
- Everyone Has A Family Doc, But Can You Get An Appointment?
- Many U.S. College Students With Psychosis Are Not Receiving Treatment
- Antibiotics Won't Help Ease Asthma-Linked Wheezing in Kids
- Yoga Eases Insomnia And Anxiety In Cancer Survivors, Study Finds
- Dust Yields Clues to Viral Outbreaks, Study Finds
- 3 Medical Routines That Older People May Not Need
- Acting NIAID Chief Steps Down Amid Ebola, Hantavirus Concerns
- Sunscreen Confusion Puts More Americans At Risk For Melanoma
- 1 In 10 U.S. Surgeons Quit Practice, Study Warns Of Shortage
- Video Game Can Detect Depression In Minutes, Study Says
- Quitting Smoking Might Lower Your Dementia Risk
- Severe Asthma Often Comes With Other Serious Health Problems
- Efforts To Understand The Nation's Drugged Driving Problem Stall Under Trump
- RFK Jr. Fires Two Leaders Of Major U.S. Health Task Force
- Common Food Preservatives Linked to Major Heart Problems
- Migraine With Aura Linked To Middle-Age Stroke Risk
- Nicotine Vapes Triple Smokers' Odds Of Quitting Tobacco
- Fixing Eligibility at the Point of Care: The Missing Link in Medical Device Reimbursement Integrity
- Fixing Eligibility at the Point of Care: The Missing Link in Medical Device Reimbursement Integrity
- The failure of the ‘usual suspects’ approach to life science recruitment
- The failure of the ‘usual suspects’ approach to life science recruitment
- Statement on Novel Exchange-Traded Funds (ETFs)
- Value, Focus, and the Future of MedTech: M&A and Divestitures are Rewriting the Strategic Playbook.
- Value, Focus, and the Future of MedTech: M&A and Divestitures are Rewriting the Strategic Playbook.
All 13 McLaren hospitals and their ancillary facilities, including the Karmanos Cancer Institute facilities, are experiencing a common cyberattack. The McLaren IT systems are down and all of them are reduced to legacy paper systems:
McLaren confirms cyberattack across its 13 Michigan hospitals, physician network
By Kristen Jordan Shamus - August 6, 2024For the second time in a year, cybercriminals have attacked McLaren Health Care's technology platforms, the Grand Blanc-based health system said Wednesday afternoon, confirming the cause of a disruption earlier this week to all 13 of its Michigan hospitals, surgery, infusion and imaging centers along with its network of 113,000 medical providers throughout Michigan, Indiana and Ohio.
"McLaren Health Care can now confirm the disruption ... was the result of a criminal cyber attack," said a statement sent to the Free Press. "Our information technology team continues to work with external cyber security experts to analyze the nature of the attack and mitigate the impacts of the threat actors. At this time, we have not determined if any patient or employee data was compromised."
The disruption began early Monday, and crippled some parts of the system's operations.
For a short time, ambulances were diverted from McLaren Port Huron Hospital, and some appointments had to be canceled because physicians couldn't access radiology reports, lab test results or orders for additional testing and procedures.
"Immediately after becoming aware of the attack, our hospitals and outpatient clinics instituted downtime procedures to ensure care delivery within our facilities," the McLaren statement said. "Several information technology systems continue to operate in downtime procedures while we work to fully restore functionality to our system. We have policies and procedures in place and train for information technology disruptions. We are grateful for the response from our frontline caregivers and staff who have come together to provide care under these circumstances."
No estimate was given for how long the disruption will last, and spokesperson David Jones did not answer questions from the Free Press about whether this incident involved ransomware and whether it was related to last year's cyberattack from the ransomware gang known as BlackCat/AlphV.
"Currently, our facilities are largely operational and able to care for our communities and will continue to do so until operations are fully restored," the updated statement said. "Our emergency departments continue to be operational, most surgeries and procedures continue to be performed, and our physician offices continue to see as many patients as possible. During this time of limited access to our systems, and out of an abundance of caution, some non-emergent appointments, tests, and treatments are being rescheduled.
"In addition, we are also actively working with our vendor partners and insurance providers to ensure our supply chain is not impacted and insurance authorizations are processed for care and treatments."
About 730,000 people are enrolled in McLaren's insurance plans in Michigan and Indiana. It also provides hospice care and pharmacy services, and operates clinical laboratories.
More:McLaren Health Care's Michigan hospitals hit by 'disruption' to computer, phone systems
The health system advised patients to keep their previously scheduled appointments unless the medical provider asks them to reschedule. It also asked patients to bring paper copies of the following to all appointments:
- A list of current medications or prescription bottles
- Printed physician orders for imaging studies or treatments
- Printed results of recent lab tests, if available, via the McLaren or Karmanos patient portal
- A list of allergies
In late August 2023, McLaren shut down its computer network in response to a ransomware attack that potentially leaked patient data onto the dark web.
A ransomware gang known as BlackCat/AlphV claimed responsibility then, posting online that it stole 6 terabytes of McLaren's data, including the personal information of 2.5 million patients.
Cyberattacks and the data breaches that often accompany them are a growing problem in health care, not only exposing the protected health data of patients but also affecting the ability to provide health care.
More:Cyberattack hits Ascension hospitals' computer networks: 'It's affecting everything'
Last year alone, 725 data breaches were reported to the U.S. Department of Health and Human Services Office for Civil Rights and more than 133 million records containing protected health data were exposed, according to the HIPAA Journal.
A cybersecurity breach in May that struck all 140 Ascension hospitals in the U.S., including in Michigan, forced the Catholic, nonprofit health system to postpone or cancel some appointments, divert ambulances to other hospitals and cut off electronic access to medical records, lab test results, radiology imaging and even impaired the ability for doctors to issue medical orders.
Our feckless Attorney General hasn't been able to find or prosecute any of the cybercriminals who have made a mess of our health care system, but her office does offer advice to victims and potential victims:
AG Nessel Alerts Consumers of Ways to Protect Their Data After McLaren Cyber Attack
By Danny Wimmer - August 09, 2024
LANSING – Michigan Attorney General Dana Nessel is reminding residents about consumer protection tips in the wake of McLaren Health Care’s most recent IT disruption.“These events serve as a clear warning that our most private information is under constant threat from cybercriminals,” said Nessel. “I encourage everyone to be diligent in safeguarding their accounts and to be on the lookout for any indications of personal data exploitation. Unfortunately, at this time information is scarce as to what information may have been exposed. While more than 30 other states have laws requiring State notification of significant breaches, Michigan is not among them, and consumer protection agencies like ours often only learn of these attacks by media reporting.”
Nessel wants consumers to understand the importance of protecting their medical information after a data breach and to recognize the warning signs that may indicate someone is using their information. Affected individuals should watch out for:
- A bill from your doctor for services you didn’t receive.
- Errors in your Explanation of Benefits (EOB), like services you never received or medications you don’t take.
- Calls from debt collectors about medical bills you don’t owe.
- Medical debt collection notices on your credit report that you don’t recognize.
- A notice from your health insurance company saying you’ve reached your benefit limit.
- Denied insurance coverage due to a pre-existing condition you don’t have.
A statement on McLaren’s website indicates the disruption, which was reported on Tuesday, August 6, was the result of a “criminal cyber attack.” McLaren’s statement goes on to indicate its facilities are “largely operational,” but admits it has limited access to its systems.
In October of last year, McLaren was the victim of another attack by a cybercriminal gang known as BlackCat/AlphV, which claimed to have stolen the sensitive personal health information of 2.5 million McLaren patients. Approximately 2,148,749 Michigan residents were sent data breach notice letters advising that certain of their personal information may have been impacted.
McLaren Health Care is a 13-hospital integrated healthcare system based in Grand Blanc, Michigan. Among its facilities is Michigan’s largest network of cancer centers and providers.
If you receive a notification letter or hear about a data breach at one of your medical providers, take these steps to secure your medical and financial accounts:
- Change the passwords on any medical portals you use.
- Check your EOBs from insurers carefully.
- Contact your bank and credit card issuers to place an alert on your accounts.
For more information on how to respond to data breaches, read Attorney General Nessel's consumer alert, Data Breaches: What to Do Next.
If consumers are concerned that their data may have been impacted, they can also consider freezing their credit. A credit freeze prevents creditors—such as banks or lenders—from accessing individuals’ credit reports. This will stop identity thieves from taking out new loans or credit cards in consumer’s names because creditors will not approve their loans or credit requests if they cannot first access their credit reports. By law, a credit bureau must allow you to place, temporarily lift, or remove a credit freeze for free.
When consumers freeze their credit with each bureau, the bureaus will send them a personal identification number. The consumers can then use that PIN to unfreeze their credit if they want to apply for a loan or credit card. Consumers can also use the PIN to freeze their credit again after they have applied for loans or a new credit card.
Individuals will have to freeze their credit with each bureau: Experian, Equifax, and TransUnion.
- Equifax: +1 (888) 766-0008
- Experian: +1 (888) 397-3742
- TransUnion: +1 (800) 680-7289
Cyber attacks in the healthcare sector have been increasing, as well as the severity of the data breaches. The largest data breach in 2023 compromised over 8 million records. In 2022, eight out of the eleven biggest data breaches happened at hospitals or health systems.
Ransomware is one of the most common threats against healthcare organizations. The FBI received 870 complaints of ransomware attacks last year—210 of them from healthcare entities, more than any other sector.
The healthcare industry is highly targeted by cyber attacks because of the large amount of Personal Health Information stored on its systems. These data breaches are costly, with the average breach costing over $11 million to fix.
The McLaren attack comes only months after a ransomware attack on the St. Louis-based Catholic healthcare system Ascension, which operates 15 hospitals in Michigan, and only weeks after Michigan Medicine announced that up to 56,953 patients may have had some health information compromised when employee emails were hacked between May 23 and May 29, 2024.
McLaren has not provided a date for when its systems will be fully functional again.
McLaren Completes Its Internal Investigation
Ten months later, McLaren reveals 740,000 impacted by ransomware attack
A sign for McLaren Medical Laboratory in Flint, Michigan.
By Eli Newman - June 26, 2025* Last summer, hackers accessed sensitive patient information at McLaren Health Care, including medical records and Social Security numbers
* The 12 hospital system concluded an internal review of the cybersecurity breach on May 5 and recently started to inform affected individuals
* The breach was the second in two yearsAfter 10 months, McLaren Health Care has begun to notify more than 740,000 patients that had sensitive personal data and health records exposed during the hospital system’s August 2024 ransomware attack.
The extent of the data extortion scheme, which delayed critical care for chronically ill patients at the Karmanos Cancer Institute and facilities across the state, came to light in recent days as the 12-hospital system based in Grand Blanc posted notice on its website and informed state agencies about the incident.
The cyberattack revealed a range of private files to a group of hackers who use patient data as criminal collateral, including individual medical history, treatment information, Social Security numbers, health insurance and medication records.
Dave Jones, a spokesperson for McLaren, said the hospital system completed its internal investigation with a third-party forensic specialist on May 5 when it determined sensitive patient data had been illegally accessed.
He says the health care system has “followed all regulatory reporting guidelines.”
“Protecting the security and privacy of data in our systems is a top priority,” Jones told Bridge Michigan in an email.
“While there is no evidence of actual or attempted misuse of personal information as a result of the incident, McLaren has begun the process of notifying patients whose data may have been impacted by the event and offering complementary identity protection out of an abundance of caution.”
Federal law requires breaches of protected health information affecting more than 500 people to be reported "without unreasonable delay" and no later than 60 calendar days after discovery.
The US Department of Health and Human Services, which maintains a database of health record breaches required by law, had not posted McLaren’s most recent cybersecurity failure as of June 26.
The agency declined to comment to Bridge Michigan on McLaren.
The Michigan Attorney General’s Office did not respond to Bridge request for comment on the agency’s awareness of the breach or McLaren’s obligation to inform those impacted by the security failure.
It’s the second such ransomware attack for McLaren since October 2023, when the personal health information of at least 2.5 million patients were exposed by the hacker gang BlackCat/ALPHV.
In previous statements, Attorney General Dana Nessel said state law does not require companies to notify the government of significant data breaches, with her office generally learning about consumer-impacting cyberattacks through media reports.
According to the latest available data, the US Department of Health and Human Services Office of Civil Rights is currently reviewing 28 leaks in the state, including those at Michigan Medicine and Catholic Charities West Michigan.
The investigations cover more than 800,000 individuals.
Hacker threats
McLaren has not specified the actors behind the attack, or its response to the extortion scheme, but cybersecurity watchdogs have linked the ransomware breach to the Inc. Ransom cybergang.
Memos reportedly obtained by employees allege the hacker group wanted “nothing more than money” as part of the scheme.
Claudia Rast, a cybersecurity attorney with the Detroit-based law firm Butzel Long, said patient data from ransomware attacks generally end up on the dark web, where the records become available to anybody who wants to buy.
“It’s like a ‘Star Wars’ bar,” Rast told Bridge Michigan. “You don’t want to go there.”
The aftermath of a cyberattack is a “fairly chaotic situation,” Rast explained, with groups like McLaren working first to identify the vulnerabilities that lead to a breach before identifying what exactly was accessed during the hack.
Figuring out which data was taken by groups like Inc. Ransom and BlackCat/ALPHV requires extensive internal audits and data mining processes that often span weeks.
“The threat actors don't label with an Excel spreadsheet… what they took,” she said.
While companies generally employ legal counsel to ensure their compliance with state law and federal statutes like the Health Insurance Portability and Accountability Act and the Health Information Technology for Economic and Clinical Health Act, Rast says their biggest expense is usually the mailing campaigns that follow to inform impacted individuals.
“More often these days, companies have good backups, so they can restore their systems over time,” Rast said. “It's notification and the forensic work that seems to be the greater cost.”
What can patients do?
As part of its consumer alert, McLaren is urging patients to monitor and review their financial statements and insurance claims, offering free credit monitoring and services through the identity theft protection company IDX.
Credit freezes can also help stop identity theft, and companies like Equifax and TransUnion offer a one-year, free fraud alert to monitor for suspicious activity.
But consumer advocates, like Suzanne Bernstein with the privacy protection advocacy group the Electronic Privacy Information Center, worry that breaches like those experienced by McLaren risk “chilling access to health care” as hacking attacks become more frequent.
“We’re often seeing reporting of the breach of really sensitive health information from hospital systems,” said Bernstein. “There's just an increased amount of data collection, which only increases the risk that data has to unauthorized use or breach.”
Bernstein said she worries about a “broader societal harm” as more health information is digitized, advocating for “data minimization” — which requires entities to limit collection based on need.
She highlighted litigation targeting hospital systems’ use of cookies and third-party ad trackers as examples of efforts to challenge data sharing outside of the patient-provider relationship, and advocates for more robust state and federal law that protects health information.
“I think having sectoral but also comprehensive privacy, cybersecurity requirements on the federal level would be great,” Bernstein said. “I sympathize with the reaction of feeling a little helpless as one person compared to a much larger, broader system.”
Get MHF Insights
News and tips for your healthcare freedom.
We never spam you. One-step unsubscribe.
Sponsors
J & DE Family Charitable Fund
Friends
of MHF
Kelly Grotendiek
Philip Harbach
Dale Johnson
Drs. Jeffrey and Joni Jones
Vickie Kahle
Tammy Kipen
Marlin & Kathy Klumpp
Melanie Kurdys
Ruth Nobel
Patrick Peterson
Stephanie Poortenga
Jeanne Smit
Ben and Hope Staal
John Tuinstra
Jacki VanHuis
Sandy Walker
Sign Up for MHF Insights to keep up on the latest in Michigan Health Policy
