Michigan-based McLaren Health Care has confirmed that the sensitive personal and health information of 2.2 million patients was compromised during a cyberattack earlier this year. A ransomware gang later claimed credit for the cyberattack.
In a new data breach notification filed with the Maine attorney general, McLaren said hackers were on its systems for three weeks from July 28 to Aug. 23 before the health care company became aware of it a week later on Aug. 31.
McLaren said the hackers accessed patients’ names, dates of birth and Social Security numbers, as well as a wealth of medical information, including billing, claims and diagnosis information, prescription and drug details, and information about diagnostic results and treatments. Medicare and Medicaid patient information was also obtained.
McLaren is a healthcare provider with 13 hospitals throughout Michigan and approximately 28,000 total employees. McLaren, whose website touts its cost-efficiency measures, had revenue of more than $6 billion in 2022.
News of the incident broke in October when the Alphv (aka BlackCat) ransomware gang claimed responsibility for the cyberattack, claiming it took millions of patient personal information. Days after the cyber attack disclosed, Michigan Attorney General Dana Nessel warned state residents that the breach “could affect a large number of patients.”
TechCrunch has seen several screenshots posted by the ransomware gang on its dark web leak site showing access to the company’s password manager, internal financial statements, some employee information and spreadsheets of patient-related personal and health information. including names, addresses, phone numbers. Social Security Numbers and Diagnostic Information.
Alphv/BlackCat claimed in their post that the gang had contacted a McLaren representative, without providing any evidence for the claim.
When reached by email, McLaren spokesman David Jones declined to comment beyond the company’s public statement or answer our questions about the incident. The spokesperson did not say whether the company received a payment request or paid the hackers. McLaren would not make chief information security officer George Goble available for an interview.
McLaren is currently facing at least three class actions related to cyber attack.
