McLaren Health Care, a non-profit healthcare system with a substantial presence in Michigan, is grappling with the aftermath of a significant data breach that exposed sensitive personal information of nearly 2.2 million individuals. The breach, occurring between late July and August of this year, was identified on August 22, 2023, prompting McLaren to initiate investigations and involve external cybersecurity experts.
As per McLaren’s statement on its website, the breach compromised its systems since July 28, 2023. The unauthorized access by a threat actor was confirmed on August 31. The exposed data, verified by October 10, includes a range of sensitive information such as full names, Social Security numbers (SSN), health insurance details, dates of birth, billing or claims information, diagnoses, physician information, medical record numbers, Medicare/Medicaid information, prescription/medication details, and diagnostic results and treatment information.
The extent of data exposure varies for each individual, depending on the information shared with McLaren and the services received. All affected individuals will receive notifications via the email addresses provided to McLaren, containing instructions on enrolling in identity protection services for a period of 12 months.
Despite McLaren’s assertion that there is currently no evidence of misuse of the exposed data, the organization urges affected individuals to exercise caution with unsolicited communications and closely monitor their bank account activities. McLaren recommends vigilance, advising individuals to review financial and account statements, as well as explanations of benefits, and promptly report any unusual activities to the relevant institutions and law enforcement.
While McLaren has not disclosed detailed information about the cyberattack, it is noteworthy that the ALPHV/BlackCat ransomware group claimed responsibility for an attack on McLaren’s network on October 4. The threat actors not only published samples of the allegedly stolen data but also threatened to auction the entire dataset, purportedly impacting 2.5 million people.
