Large Michigan healthcare provider confirms ransomware attack

One of the largest healthcare systems in Michigan confirmed that it is dealing with a ransomware attack after a notorious hacker gang boasted about the incident.

A spokesperson for McLaren HealthCare said the organization recently detected suspicious activity on its computer network and immediately began an investigation.

“Based on our investigation, we have determined that we experienced a ransomware event. We are investigating reports that some of our data may be available on the dark web and will notify individuals whose information was impacted, if any, as soon as possible,” a spokesperson said.

McLaren operates 13 hospitals across Michigan, as well as other medical services such as infusion centers, cancer centers, primary and specialty care offices and a clinical laboratory network. The company has more than 28,000 employees and also has a wholly owned medical malpractice insurance company.

Earlier this month, the company reported outages affecting billing and electronic health record systems. According to the Detroit Free Press, McLaren had to shut down the computer network at 14 different facilities — a situation that got so bad that employees had to communicate through their personal phones.

The spokesperson said McLaren has “retained leading global cybersecurity specialists to assist in our investigation, and we have been in touch with law enforcement. We have also taken measures to further strengthen our cybersecurity posture with a focus on securing our systems and limiting disruption to our patients and the communities we serve.”

The spokesperson added that systems “remain operational” but did not respond to requests for comment about whether billing and record systems had been restored to functionality. They did not say whether a ransom would be paid.

The Black Cat/AlphV ransomware gang took credit for the attack in a post on its leak site early on Friday morning.

The gang — which initially did not name the company before hours later adding McLaren’s name — claimed to have stolen 6 TB of data, allegedly including the personal data of millions as well as videos of the hospitals’ work.

Michigan’s Emergency Management & Homeland Security department as well as the governor’s office did not respond to requests for comment about whether expertise was being provided to the company.

BlackCat has made a point of going after healthcare institutions, causing outrage earlier this year after attempting to extort a healthcare network in Pennsylvania by publishing photographs of breast cancer patients. In January it took credit for an attack on technology giant NextGen Healthcare.

The gang caused international headlines two weeks ago with its attack on MGM Resorts, which devastated several major casinos in Las Vegas and left slot machines, ATMs and more paralyzed.

The attack on McLaren comes one month after another major U.S. healthcare network was attacked by ransomware actors.

Hospitals in four states were forced to cancel appointments, divert ambulances and use paper records. The attack may contribute to the closure of at least two hospitals in Connecticut.

The issue of ransomware attacks on hospitals reached Congress this week, with House members holding a hearing on the crisis and taking testimony from several people who have faced off against hackers.

Stephen Leffler, president of one of Vermont’s largest healthcare providers, told Congress of his experience dealing with a 2020 ransomware attack, warning that despite their array of security tools, they were still hit.

“This really is an arms race. As we have all seen in the news over the past few 3 years, the cybercriminals and actors are getting increasingly sophisticated, and so this important work to protect our systems will never be fully finished,” he said.

ALPHV #ransomware group has added an unknown healthcare organization based out of the US state of Michigan to their victim list. They claims to have access to 6TB of organizations data. #USA #alphv #blackcat #darkweb #databreach #cyberattack pic.twitter.com/jizDcaqOuN

— FalconFeedsio (@FalconFeedsio) September 29, 2023