We are learning more about the ransomware attack on McLaren Health Care's IT systems which took place a month ago. It appears that whoever corrupted McLaren Health Care's IT systems with the BlackCat / ALPHV ransomware code made off with the personal information of 2.5 million patients and employees. A cautionary tale as we rush headlong into health care data interoperability:
McLaren ransomware attack may have leaked patient data to dark web
By Kristen Jordan Shamus = October 4, 2023McLaren Health Care acknowledged this week that the ransomware attack that took down the computer network at its 14 Michigan hospitals in late August and early September also could have leaked some patient data onto the dark web.
A ransomware gang known as BlackCat/AlphV claimed responsibility for the cyberattack late last week, posting online that it stole 6 terabytes of McLaren's data, including the personal information of 2.5 million patients.
"It will be one of the biggest leaks of all time," BlackCat/AlphV wrote in the posts. "... Our backdoor is still running on your network."
The Free Press first reported in early September that McLaren's billing systems and electronic medical records were affected by the cybersecurity attack, and that workers at times had to use personal cellphones to communicate.
McLaren Health Care issued the following update this week about the cybersecurity breach:
"Protecting the security and privacy of data in our systems is a top organizational priority, so we immediately launched a comprehensive investigation to understand the source of the disruption and identify what, if any, data exposure occurred. We simultaneously retained leading global cybersecurity specialists to assist in our investigation, and we have been in touch with law enforcement. We have also taken measures to further strengthen our cybersecurity posture with a focus on further securing our systems and limiting disruption to our patients and the communities we serve.
"Based on our investigation, we have determined that we experienced a ransomware event. We are investigating reports that some of our data may be available on the dark web and will notify individuals whose information was impacted, if any, as soon as possible. We want to assure our patients and the communities we serve that our systems remain operational, and we continue to provide the exceptional care for which we are known."
McLaren's spokesperson also told the Free Press that at least some of the claims posted online by BlackCat/AlphV have not been corroborated:
"Regarding their 'backdoor' claims, based on the current analysis with our cybersecurity specialists, we do not see evidence to this claim," the spokesperson said.
The BlackCat/AlphV ransomware gang has claimed responsibility for a cybersecurity attack on McLaren Health Care.
McLaren did not answer questions from the Free Press about exactly when the cyberattack was first identified, specifically what information was stolen or how many patients and/or employees were affected.BlackCat, a criminal ring that has ties to Russia, also was implicated in a ransomware attack on a health system in Lehigh, Pennsylvania, earlier this year.
"The bad actors exfiltrated the data first and threatened to extort the patients of the health care clinic," Karl Sigler, senior security research manager at Trustwave, told the Free Press in an interview for a previous article. "One of the things that health care clinic was responsible for was mammograms for people who potentially had breast cancer."
The cybercriminals "started targeting the patients directly, saying, 'Hey, I have these mammograms of you. And I'm going to leak them because your health care clinic doesn't care to pay the ransom. But if you pay us a ransom, we'll make sure that your records specifically aren't leaked with everybody else's.'
"It's one of the more vicious attacks that I've seen that's been publicly disclosed."
Health care providers are required to report any breach of protected health information to the U.S. Department of Health and Human Services, as well as the Federal Trade Commission.
When it comes to disclosing to the public that personal health information was compromised, the federal HIPAA (Health Insurance Portability and Accountability Act) Breach Notification Rule offers some protection.
It requires health care providers to disclose within 60 days of when a breach was first discovered details about what types of information were compromised, what steps people should take to protect themselves, what is being done to investigate the breach, as well as contact information.
If the cyberattack involved 500 people or more, “a prominent media outlet” must also be notified within 60 days.
Trustwave, a Chicago-based cybersecurity company, released a report in July that found nationally, 24% of all cyberattacks in the U.S. in 2022 targeted the health care industry.
"The average cost of a health care data breach in 2023 is about $11 million," Sigler said.
It is important to note here that BlackCat / ALPHV is ransomware code written in the Rust programming language which is inserted into the victim's IT system. It is not a 'gang' per se. Unsophisticated computer hacking gangs obtain the BlackCat / ALPHV ransomware code on a subscription basis and deploy it in their hacks. The model is called Ransomware as a Service (RaaS).
RaaS is a subscription model that enables hackers around the world to use sophisticated ransomware code tools (codes beyond their abilities to create) to execute ransomware attacks. They obtain off-the-shelf ransomware programs like BlackCat by paying a subscription to the authors of the programs via the dark web. Those ransomware authors, who may or may not be 'Russian', don't actually become involved in the various attacks.
An update:
McLaren Health Care says data breach impacted 2.2 million people
By Bill Toulas - November 10, 2023McLaren Health Care (McLaren) is notifying nearly 2.2 million people of a data breach that occurred between late July and August this year, exposing sensitive personal information.McLaren is a non-profit healthcare system with an annual revenue of $6.6 billion. It encompasses an extensive network across Michigan that includes 14 hospitals with a total bed capacity of 2,624 and is supported by a team of 490 physicians.
The organization boasts a substantial workforce, with a 28,000 full-time staff. Additionally, it maintains contractual relationships with 113,000 providers, extending its reach into Indiana.
McLaren published a statement on its website about the intrusion and also notified U.S. authorities. The organization also alerted impacted individuals of the incident.
Per the provided information, McLaren identified a security breach on August 22, 2023. Subsequent investigations, conducted with the assistance of external cybersecurity experts, revealed that the breach had compromised its systems since July 28, 2023.
Evidence shows that on August 31 an unauthorized threat actor had accessed data and the following data types were confirmed to have been exposed by October 10:
- Full name
- Social Security number (SSN)
- Health insurance information
- Date of birth
- Billing or claims information
- Diagnosis
- Physician information
- Medical record number
- Medicare/Medicaid information
- Prescription/medication information
- Diagnostic results and treatment information
The specific types of data exposed differ for each individual, depending on the information they shared with the organization and the services they received.
All impacted individuals will receive to the email address they provided to McLaren a notification with instructions on enrolling to identity protection services for 12 months.
McLaren says it currently holds no evidence that cybercriminals abused the exposed data but urges impacted individuals to be cautious with unsolicited communications and keep a close eye on their bank account activity.
“While there is currently no evidence that your information has been misused, we recommend that you remain vigilant, monitor and review all of your financial and account statements and explanations of benefits, and report any unusual activity to the institution of record and to law enforcement.” - McLarenAlthough the organization does not disclose many details about the cyberattack, it is worth mentioning that the ALPHV/BlackCat ransomware group took responsibility for an attack on McLaren's network on October 4.
McLaren is notifying a limited number of patients that their personal information was stolen:
McLaren Health Care notifying patients of a possible data breach
By Kevin Craft - November 21, 2023McLaren Health Care is notifying some patients of a possible data leak that could include social security numbers and health information.
MID-MICHIGAN (WJRT) - McLaren Health Care is notifying some patients of a possible data leak that could include social security numbers and health information.
The hospital is now working with an identity theft protection service to offer help.
McLaren says the unauthorized access happened between July 28 and Aug. 23.
The breach includes some patients' social security numbers, prescriptions and medical treatment information.
McLaren has partnered with an identity protection company in the meantime.
Anyone who believes that they were impacted by the data breach is asked to call 888-867-1630.