IOTW: McLaren Health Care data breach impacts 2.2 million people

Healthcare delivery system McLaren Health Care has notified around 2.2 million individuals that their personal information was compromised in a data breach earlier this year. In a new data breach notice filed with Maine’s attorney general, the Michigan-based company said hackers accessed its systems between late July and August before it detected the activity.

According to McLaren, the exposed information includes Social Security numbers, health insurance information, medical information including billing or claims information, medical record numbers, prescription/medication information and diagnostic and treatment information. 

Notorious ransomware gang BlackCat/ALPHV claimed responsibility for the attack in October. McLaren has not confirmed whether it has received or paid a ransom demand. Meanwhile, several lawsuits have been filed against McLaren in the wake of the incident for failing to effectively secure sensitive data. McLaren provides services to a number of hospitals across Michigan and has around 28,000 employees. 

McLaren “moved quickly” to investigate and respond to incident

Upon discovering the event, McLaren said it “moved quickly to investigate and respond to the incident” – assessing the security of its systems and identifying potentially affected individuals. McLaren notified federal law enforcement regarding the event and is working to implement additional safeguards and training to its employees, it added.

McLaren is also providing impacted individuals with guidance on how to protect themselves against identity theft and fraud, including advising them how to report any suspected incidents of identity theft or fraud to their credit card company and/or bank, it said.

Furthermore, the firm is providing individuals with information on how to place a fraud alert and security freeze on one’s credit file, along with the contact details for the national consumer reporting agencies, and information on how to obtain a free credit report. It has also issued a reminder to remain vigilant for incidents of fraud and identity theft by reviewing account statements and monitoring free credit reports, and encouragement to contact the Federal Trade Commission, their state Attorney General, and law enforcement to report attempted or actual identity theft and fraud.

Last month, Michigan attorney general Dana Nessel said that the attack on McLaren reflects how susceptible information infrastructure can be, stating that organizations that handle the most personal data “have a responsibility to implement safety measures that can withstand cyber attacks and ensure that a patient’s private health information remains private.”

Healthcare sector a prime target for cyber attacks

The healthcare industry is a prime target for cyber attacks due to the sheer volume of sensitive information typically stored on the systems of healthcare providers and organizations, with the frequency and severity of attacks against the healthcare sector increasing in recent years. In July, it was revealed that US-based healthcare company HCA Healthcare suffered a data breach impacting 11 million patients. Last year, almost one million people were affected by a ransomware attack on New York-based healthcare billing company Practice Resources (PRL) which exposed the data of patients from 27 hospitals and physician’s offices.

“The average cost of a healthcare data breach has surged to nearly US $11 million, marking a 53% increase since 2020,” Sarah Jones, cyber threat intelligence research analyst at Critical Start, tells Cyber Security Hub. “Additionally, the BlackCat/ALPHV ransomware gang maintained unauthorized access to McLaren’s systems for an extended three-week period. This prolonged dwell time indicates a shift in the cybersecurity landscape, as cybercriminals adapt tactics to minimize risk and optimize their efforts.”

The evolving strategy reflects cyber criminals’ continuous efforts to enhance effectiveness while reducing the likelihood of detection or attribution, Jones adds. Furthermore, the rapid technological advancements in the healthcare sector, while beneficial, have heightened the risk of targeting, with threat actors swift to exploit vulnerabilities in healthcare records, IT systems and medical devices. “Prioritizing and investing in cybersecurity is paramount for the healthcare industry to safeguard patients from these ever-evolving cyber threats.”