McLaren provides written notice to 743,131 patients after ransomware attack in July 2024 (2)

On August 5, 2024, McLaren Healthcare became aware of suspicious activity affecting McLaren Health Care and Karmanos Cancer Institute computer systems. In an early statement about the incident, McLaren indicated that the attack affected IT systems across its 13 hospitals, cancer treatment centers, surgery centers, and clinics. In an August 12 update, McLaren reported that in response to the incident, some of their locations had diverted ambulances to nearby facilities for certain conditions. Some patients reported that their appointments were delayed or rescheduled because of the attack, which had occurred between July 17, 2024, and August 5, 2024, and employees reported that they were not being paid properly.

Although McLaren and Karmanos provided updates and established a call center to assist patients, it is only now that McLaren has disclosed for the first time that 743,131 patients were affected by the attack.

In a June 20, 2025, notification to the Maine Attorney General’s Office, McLaren reported that the types of information that could have been involved include name, Social Security number, driver’s license number, medical information, and health insurance information. Those affected have been offered access to credit monitoring services for twelve (12) months, through IDX.

What the Notification Doesn’t Explain

The notification letter never clearly acknowledges that this was a ransomware attack by INC Ransom that involved encryption, but a copy of the ransom note received by Karmanos was posted on X.com on August 5, 2024, the same day McLaren reports that they became aware of the attack. The June 20 notification letter does use the word “ransomware” but without any additional details on that.

DataBreaches tested the “Personal ID” and found that the INC Ransom site did recognize it as a valid Personal ID. DataBreaches did not attempt to login, however.

==~ INC Ransom ~~~-----> Your data is stolen and encrypted. If you don't pay the ransom, the data will be published on our TOR darknet site: The sooner you pay the ransom, the sooner your company will be safe. Tor Browser Link: http: //incblog6qudydmmad zvwSnrmue6gbwtgj sxpw6b7ixzssu36tsaj doad -Onion/ http: //incblog7vmugq7rktic73rahad757m3ptym37tyvifzp2roedyyzzxid. onion/ Link for normal browser: http://incapt.su/ -----> What guarantees are that we won't fool you? p We are not a politically motivated group and we want nothing more than money. b If you pay, we will provide you with decryption software and destroy the stolen After you pay the ransom, you will quickly restore your systems and make even mo | Treat this situation simply as a paid training for your system administrators, b § Our pentest services should be paid just like you pay the salaries of your syste ) If we don't give you a decryptor or delete your data after you pay, no one will ; You can get more information about us on Twitter https://twitter.com/hashtag/inc -----> You need to contact us on TOR darknet sites with your personal ID Download and install Tor Browser https: //www.torproject.org/ # : Write to the chat room and wait for an answer, we'll guarantee a response from y : ghia = Sometimes you will have to wait some time for our reply, this is because we have i Tor Browser Link for chat: be http: //incpaykabj ge2mtdxq6c23ngh4x6msdkpss fr6vgdkgzpsn ssxégkid.onion/ personal ID: 66b080bc4b30850609e32824 =----> Warning! Don't delete or modify encrypted files, it will lead to problems ~-—-——> Don't go to the police or the FBI for help. They won't help you. The police will try to prohibit you from paying the ransom in any way. The first thing they will tell you is that there's no guarantee to decrypt your This 1s not true, we can do a test decryption before Paying and your data will b Paying the ransom to us is much cheaper and more profitable than paying fines an The police and the FBI don't care what losses you suffer as a result of our atta If you're worried that someone will trace your bank transfers, you can easily bu The police and FBI won't be able to stop lawsuits from your customers for leakin Sy The police and FBI won't protect you from repeated attacks. §5> Don't go to recovery companies! They are essentially just middlemen who will make money off you and cheat you. We are well aware of cases where recovery companies tell you that the ransom pri If you approached us directly without intermediaries you would pay several times -----> For those who have cyber insurance against ransomware attacks. Insurance companies require you to keep your insurance information secret. In most cases, we find this information and download it. -----> If you do not pay the ransom, we will attack Your company again in the fu — *Ransom note by INC ransom was posted on X.com. Image credit: @thomasbarzaf*

Second Ransomware Attack in One Year

The July 2024 ransomware attack was the second ransomware incident McLaren experienced in a year. In October 2023, McLaren notified HHS after a ransomware attack with encryption by AlphV (BlackCat). The incident was reported to HHS as affecting “501” patients, a placeholder entry indicating that McLaren did not yet know the total number of affected patients. The number of patients affected was subsequently updated to HHS as 2,103,881.

Based on BlackCat’s blistering attack on the health system and the data that they leaked as proof of claims (archived image), McLaren apparently did not pay BlackCat’s demands.

How did INC Ransom gain access to McLaren? Was it via the same method(s) as the 2023 attack by BlackCat? We do not know that, either.

And did McLaren decide to pay INC Ransom for fear of the reputation damage a second big breach might cause or because of the interference with patient care? Or did they decide not to pay? Their notification makes no mention at all of any extortion or ransom demands, but INC Ransom did not wind up listing McLaren or Karmanos on their leak site and did not leak their data, which may be our only indication from INC Ransom that their victim paid.

DataBreaches emailed McLaren and Karmanos to ask whether they paid INC Ransom to secure a decryption key and/or to get assurances of data deletion (although we know those can’t be trusted). No reply was immediately available, but this post will be updated if a reply is received or more information on this point becomes available.

If any employee with knowledge of the ransom payment issue cares to reach out, please contact this site by email to tips@databreaches[.]net — just remove the brackets.

Update 1: Over on LinkedIn, Britton White commented on my post there by reminding us all that too many employees use personal devices for work that get infected by infostealers. He wrote:

… we still have offshore HCL folks with McLaren creds where this person is working off a Windows 11 Home machine. What makes this worse is they’re a Windows Admin with VM experience.

Could login credential stolen by infostealers be how McLaren was compromised in the 2023 breach? Could it be how McLaren was compromised in the 2024 breach? We don’t know because forensics have not been shared with the public. Does McClaren even have visibility into the accesses and security of its remote employees’ personal devices? Again, we don’t know. But how did their risk assessments address the security safeguards required by HIPAA for employees’ personal home computers?

Update 2: The post was edited to add that a notification letter of June 20, 2025 does mention that it was a ransomware attack.