Dave Jones, a spokesperson for McLaren, said the hospital system completed its internal investigation with a third-party forensic specialist on May 5 when it determined sensitive patient data had been illegally accessed.
He says the health care system has “followed all regulatory reporting guidelines.”
“Protecting the security and privacy of data in our systems is a top priority,” Jones told Bridge Michigan in an email.
“While there is no evidence of actual or attempted misuse of personal information as a result of the incident, McLaren has begun the process of notifying patients whose data may have been impacted by the event and offering complementary identity protection out of an abundance of caution.”
Related:
Federal law requires breaches of protected health information affecting more than 500 people to be reported “without unreasonable delay” and no later than 60 calendar days after discovery.
The US Department of Health and Human Services, which maintains a database of health record breaches required by law, had not posted McLaren’s most recent cybersecurity failure as of June 26.
The agency declined to comment to Bridge Michigan on McLaren.
The Michigan Attorney General’s Office did not respond to Bridge request for comment on the agency’s awareness of the breach or McLaren’s obligation to inform those impacted by the security failure.
It’s the second such ransomware attack for McLaren since October 2023, when the personal health information of at least 2.5 million patients were exposed by the hacker gang BlackCat/ALPHV.
In previous statements, Attorney General Dana Nessel said state law does not require companies to notify the government of significant data breaches, with her office generally learning about consumer-impacting cyberattacks through media reports.
According to the latest available data, the US Department of Health and Human Services Office of Civil Rights is currently reviewing 28 leaks in the state, including those at Michigan Medicine and Catholic Charities West Michigan.
The investigations cover more than 800,000 individuals.
Hacker threats
McLaren has not specified the actors behind the attack, or its response to the extortion scheme, but cybersecurity watchdogs have linked the ransomware breach to the Inc. Ransom cybergang.
Memos reportedly obtained by employees allege the hacker group wanted “nothing more than money” as part of the scheme.
Claudia Rast, a cybersecurity attorney with the Detroit-based law firm Butzel Long, said patient data from ransomware attacks generally end up on the dark web, where the records become available to anybody who wants to buy.
“It’s like a ‘Star Wars’ bar,” Rast told Bridge Michigan. “You don’t want to go there.”
The aftermath of a cyberattack is a “fairly chaotic situation,” Rast explained, with groups like McLaren working first to identify the vulnerabilities that lead to a breach before identifying what exactly was accessed during the hack.
Figuring out which data was taken by groups like Inc. Ransom and BlackCat/ALPHV requires extensive internal audits and data mining processes that often span weeks.
“The threat actors don’t label with an Excel spreadsheet… what they took,” she said.
While companies generally employ legal counsel to ensure their compliance with state law and federal statutes like the Health Insurance Portability and Accountability Act and the Health Information Technology for Economic and Clinical Health Act, Rast says their biggest expense is usually the mailing campaigns that follow to inform impacted individuals.
“More often these days, companies have good backups, so they can restore their systems over time,” Rast said. “It’s notification and the forensic work that seems to be the greater cost.”
What can patients do?
As part of its consumer alert, McLaren is urging patients to monitor and review their financial statements and insurance claims, offering free credit monitoring and services through the identity theft protection company IDX.
Credit freezes can also help stop identity theft, and companies like Equifax and TransUnion offer a one-year, free fraud alert to monitor for suspicious activity.
But consumer advocates, like Suzanne Bernstein with the privacy protection advocacy group the Electronic Privacy Information Center, worry that breaches like those experienced by McLaren risk “chilling access to health care” as hacking attacks become more frequent.
“We’re often seeing reporting of the breach of really sensitive health information from hospital systems,” said Bernstein. “There’s just an increased amount of data collection, which only increases the risk that data has to unauthorized use or breach.”
