Data Breach Notification
,
Data Security
,
Fraud Management & Cybercrime
Michigan-Based Group Breached in Ransomware Attack for Second Time in Two Years
McLaren Health has begun notifying more than 743,000 people affected by a ransomware attack last summer. The incident, carried out by cybercriminal gang Inc. Ransom, is McLaren’s second major health data breach from a ransomware attack in two years.
See Also: Top 10 Technical Predictions for 2025
Michigan-based McLaren in a sample breach notification letter accompanying its report filed to Maine’s attorney general on June 20 said it organization “was the target of a cybersecurity attack by an international ransomware group” detected on Aug. 5, 2024.
The incident affected McLaren Health Care and its Karmanos Cancer Institute computer network. McLaren operates 13 hospitals and other medical facilities including the cancer center.
As of Monday, the 2024 McLaren incident was not yet posted on the U.S. Department of Health and Human Services’ HIPAA Breach Reporting Tool website listing health data breaches affecting 500 or more individuals.
The HHS’ Office for Civil Rights website does contain several other large breaches reported by McLaren since 2016, including a hacking incident reported in October 2023 affecting 2.1 million people.
In that 2023 hack, Russian-speaking AlphV cybercrime gang, also known as BlackCat, claimed on its darkweb site to have stolen six terabytes of “sensitive data” belonging to 2.5 million McLaren patients. The threat actor said at the time that its “backdoor is still running” on McLaren’s network.
In the 2024 incident, Inc. Ransom claimed to have stolen data as well as encrypted McLaren’s IT systems.
Regarding its most recent hack, McLaren said it became aware of suspicious activity related to certain McLaren and Karmanos Cancer Center computer systems on Aug. 5, 2024.
The organization activated its emergency response processes, which involved taking down many of its IT systems, including electronic health records and resorting to paper charting and manual procedures during its three-week recovery. For a short time, McLaren also diverted some ambulances to other facilities while it responded to the incident (see: McLaren Health Hit with Ransomware for Second Time in a Year).
McLaren in its more recent breach notification letter said its investigation into the incident found the unauthorized access to its network occurred between July 17 and Aug. 3, 2024.
“As part of our investigation, we undertook an extensive forensic review of the potentially impacted files to determine whether any sensitive information was present.” That process was concluded on May 5.
Information potentially contained in the affected files potentially includes name, Social Security number, driver’s license number, medical information and health insurance information.
As of Monday, several law firms had issued public statements saying they are investigating the latest McLaren incident for potential class action litigation.
McLaren did not immediately respond to Information Security Media Group’s requests for comment and additional details about the hacks.
Repeat Hacks
Some experts said that unfortunately, it’s not that unusual for some organizations to fall victim to more than one attack within a relatively short period of time.
“It is not uncommon for ransomware victims, including healthcare, to fail to completely evict ransomware gangs from their networks,” said Mike Hamilton, field CISO at security firm Lumifi Cyber.
“These actors can leave behind backdoors or install intentionally vulnerable modifications to software such as backing out a patch or installing a known bad DLL. This allows them to re-extort the victim at the time of their choosing.”
Based on McLaren’s limited details disclosed about its hacking incidents, it’s publicly unknown if the organization addressed the backdoor AlphV claimed was still in place when that gang attacked the healthcare organization in 2023.
“It is less likely that McLaren failed to address the technical vulnerabilities that caused the first breach, as ransomware response includes identifying root cause and ensuring that corrective actions have been applied,” Hamilton said.
“However, if the initial access was gained through social engineering or credential abuse, there may be controls that continue to fail such as user training, effective email filtering, good password management, multi-factor authentication, etc.”
Initial access in these types of incidents is generally gained through one of three methods, Hamilton said.
That includes technical vulnerability exploit; credential abuse such as exploiting passwords found in other credential dumps and social engineering that uses increasingly sophisticated methods such as voice and video deepfakes, he said. “Any of these methods could have been used.”
To help avoid repeatedly falling victim to such incidents, Hamilton said it’s critical to take several important measures.
“Ensure that credentials are managed properly and not shared across different applications out of the workplace. This includes use of a password vault and optimally a prohibition on storing credentials in browsers to avoid infostealer attacks,” he said.
“Train users to be suspicious of any messaging that is unexpected, whether through email, text, social media, phone or video.
Also, organizations should optimize patch management and use compensating controls when patches cannot be applied on schedule, he said.
But on top of that, “the best advice is this: Force all personal use onto personal devices,” he stressed.
