Michigan hospital system struggles with cyberattack as healthcare industry decries ‘Russian’ ransomware

A prominent healthcare system in Michigan confirmed on Wednesday that outages affecting phone systems and computers was the result of a cyberattack that began earlier in the week. 

McLaren Health Care published a statement Wednesday saying their facilities are “largely operational” but that they have to operate with downtime procedures as they work to restore several IT systems. 

“Immediately after becoming aware of the attack, our hospitals and outpatient clinics instituted downtime procedures to ensure care delivery within our facilities,” the non-profit said. “Our information technology team continues to work with external cyber security experts to analyze the nature of the attack and mitigate the impacts of the threat actors.”

McLaren emergency departments continue to operate but there have been some surgeries and procedures have been canceled as a result of the attack. Some non-emergent appointments, tests and treatments are being rescheduled, according to the statement. 

Patients will be contacted if their appointments will be canceled but those who do come to one of the organization’s hospitals need to bring a list of their current medications, printed physician orders for imaging studies or treatments, a list of allergies and the printed results of recent lab tests. 

“In addition, we are also actively working with our vendor partners and insurance providers to ensure our supply chain is not impacted and insurance authorizations are processed for care and treatments,” the hospital system added. 

While the organization did not call it a ransomware attack and did not respond to requests for comment, a printed ransom note from the INC ransomware gang allegedly sent to the hospital was shared on social media.  

The same hospital system — which operates 13 hospitals across Michigan, as well as other medical services such as infusion centers, cancer centers, primary and specialty care offices and a clinical laboratory network — was attacked last September by a ransomware gang. In November, the organization said 2.1 million people had data stolen during the attack.  

Cybersecurity experts have long said data shows ransomware victims are typically targeted repeatedly by other gangs after initial attacks. 

The McLaren incident comes days after the American Hospital Association (AHA) issued a bulletin expressing alarm at a string of recent attacks that have caused a “massive disruption to patient care.”

Last week, a prominent non-profit healthcare system in Delaware dealt with a cyberattack that took down significant parts of its IT system. On Wednesday, the ransomware hackers behind the incident threatened to leak stolen data from the hospitals if they are not paid a $1.4 million ransom by August 14. 

The AHA highlighted other recent attacks on healthcare companies like OneBlood, Synnovis, and Octapharma as examples of “Russian cybercrime ransomware gangs” targeting critical infrastructure in the U.S. and U.K.

“The attacks against Octapharma, Synnovis and OneBlood appear to be unrelated and have been conducted by separate Russian-speaking ransomware groups,” they said. “However, the unique nature and proximity of these ransomware attacks — targeting aspects of the medical blood supply chain within a relatively short time frame, is concerning.” 

The AHA added that these incidents “demonstrate how catastrophic failures can occur in healthcare delivery when mission-critical and life-critical suppliers are attacked.”