BlackCat group claims it stole the data of 2.5m patients from McLaren Health Care's network

Michigan-based McLaren Health Care has announced that cyber criminals gained access to computer systems for a 25-day period between July and August and stole the personal and healthcare information of its patients.

Founded in 1914, McLaren Health Care is one of Michigan’s largest healthcare organisations with an annual budget exceeding $6 billion. The healthcare system includes 15 hospitals in Michigan and Ohio, ambulatory surgery centres, imaging centres, a 490-member primary and specialty care physician network, and a network of pharmacies, clinical laboratories and cancer centres.

The healthcare giant recently announced that cyber criminals gained access to its network and computer systems between July 28 and August 23 this year and stole "certain information stored on the network during the period of access."

McLaren said it detected unauthorised access to its computer systems on 22nd August and immediately launched an investigation with the assistance of third-party forensic specialists to secure its network and to determine the nature and scope of the activity.

"Through the investigation, it was determined that there was unauthorized access to McLaren’s network between July 28, 2023, and August 23, 2023. On August 31, 2023, we learned the unauthorized actor had the ability to acquire certain information stored on the network during the period of access," it said.

Without revealing how many patients were affected or how much data was stolen from its network, McLaren said it conducted a thorough review of the data that was accessed to ascertain whether it contained sensitive information and concluded that the incident did compromise certain patients’ personal information.

"The information impacted varied by individual and not all information was available for every individual. The information that may have been impacted includes some combination of certain individuals’ names and the following: Social Security number, health insurance information, date of birth, and medical information including billing or claims information, diagnosis, physician information, medical record number, Medicare/Medicaid information, prescription/medication information, diagnostic results and treatment information," it said.

McLaren’s announcement comes not long after the APLHV/BlackCat ransomware group claimed that it stole the personal information of about 2.5 million individuals from the healthcare company’s network. The stolen data dump contained up to 6 terabytes worth of patient information.

"More than 6 Tetrabytes of data were stolen from the company’s servers, not least due to negligence in network security and data storage," the ransomware group wrote. "We give a good chance to negotiate and come to a reasonable solution and maintain the reputation and money and calm of your patients, who entrust you with their health and safety."

The BlackCat group said it would leak the personal information of millions of US citizens if McLaren ignored its demand to engage and negotiate a ransom. "It will be one of the biggest leaks of all time," the group threatened.

Dana Nessel, the Attorney General of Michigan, said that the ransomware attack on McLaren Health Care showed the importance of timeliness when responding to such attacks to protect people’s personal information and to stop hackers in their tracks.

“Time is of the essence when a breach occurs to ensure affected individuals can take the necessary steps to protect their identities. This attack shows, once again, how susceptible our information infrastructure may be. 

 

“Organisations that handle our most personal data have a responsibility to implement safety measures that can withstand cyber-attacks and ensure that a patient’s private health information remains private,” she added.