McLaren Health Care has updated the status of a recent cyberattack, confirming the use of ransomware to encrypt files in its network. The attack has disrupted the IT systems at 13 of its hospitals, including the Karmanos surgery centers, cancer centers, and clinics. Although the attack has been contained, system access is still limited, and complete recovery is unlikely until September. Despite the disruptions, McLaren Health Care stated that its hospitals and clinics’ operations continue, and patients can avail of its services except if notified otherwise.
Because IT systems access is restricted, patients were instructed to carry their list of latest prescriptions/empty medicine bottles, list of allergies, printed doctor orders for imaging studies or treatments, and printed records of recent laboratory tests provided in the patient portals. The forensic investigation is not yet finished and the extent of the data breach is unknown. If the exposure or theft of patient information is confirmed, McLaren Health Care will mail individual notifications to the impacted patients.
Phil Incarnati, President and CEO of McLaren Health Care, admired the organization’s employees. He noted that, under extremely challenging circumstances, McLaren teams across the state on the frontlines and in support roles have risen to the occasion. The patients, their families, and the communities are grateful to the physicians, nurses, dietary experts, administrative assistants, patient supporters, and all team members for their resilience and kindness. Incarnati also requested patients and visitors to be patient, acknowledging that while McLaren’s clinical and support teams are among the best, they are working in a very challenging environment. Even as work is being done to recover from the attack, everyone is showing up on the frontlines every day to ensure the community receives the necessary care.
McLaren Health Care reported that the outage since August 5, 2024 is the result of a “criminal cyberattack.” The company’s IT team engaged the help of external cybersecurity experts to determine the extent of the attack and minimize its impact. While still in the early stages of the investigation, it remains unclear to what degree patient and employee data may have been exposed. There is also no detail yet as to the nature of the attack and whether ransomware was behind it. Despite the disruption, the majority of McLaren’s facilities continue to operate, with appointed visits and surgeries going forward as intended, though some non-emergency consultations, assessments, and treatments were rebooked.
Reports indicate that the attack may have been carried out by the Inc. Ransom group, which has been active since August 2023. The group typically gains initial access to healthcare systems using compromised credentials, spear phishing, and exploiting susceptible services. As per Cybereason, Inc. Ransom uses the strategy of partial encryption and multi-threading to speed up the encryption process. Double extortion is also practiced by the group, stealing information and demanding ransom before giving the decryption keys and aborting the exposure of stolen information on its data leak site. The activities of this group present a challenge for healthcare providers to protect patients’ rights under HIPAA.
Some of the healthcare victims of Inc. Ransom are Mainline Health System, Norman Urology Associates, West Idaho Orthopedics, Continuing Healthcare Solutions, Seneca Nation Health System, Pinnacle Orthopaedics, and NHS Scotland. As of this time, no McLaren Health Care is listed on the group’s data leak site.