On August 5, 2024, McLaren Healthcare became aware of suspicious activity affecting McLaren Health Care and Karmanos Cancer Institute computer systems. In an early statement about the incident, McLaren indicated that the attack affected IT systems across its 13 hospitals, cancer treatment centers, surgery centers, and clinics. In an August 12 update, McLaren reported that in response to the incident, some of their locations had diverted ambulances to nearby facilities for certain conditions. Some patients reported that their appointments were delayed or rescheduled because of the attack, which had occurred between July 17, 2024, and August 5, 2024, and employees reported that they were not being paid properly.
Although McLaren and Karmanos provided updates and established a call center to assist patients, it is only now that McLaren has disclosed for the first time that 743,131 patients were affected by the attack.
In a June 20, 2025, notification to the Maine Attorney General’s Office, McLaren reported that the types of information that could have been involved include name, Social Security number, driver’s license number, medical information, and health insurance information. Those affected have been offered access to credit monitoring services for twelve (12) months, through IDX.
What the Notification Doesn’t Explain
The notification letter never clearly acknowledges that this was a ransomware attack by INC Ransom that involved encryption, but a copy of the ransom note received by Karmanos was posted on X.com on August 5, 2024, the same day McLaren reports that they became aware of the attack.
DataBreaches tested the “Personal ID” and found that the INC Ransom site did recognize it as a valid Personal ID. DataBreaches did not attempt to login, however.
Second Ransomware Attack in One Year
The July 2024 ransomware attack was the second ransomware incident McLaren experienced in a year. In October 2023, McLaren notified HHS after a ransomware attack with encryption by AlphV (BlackCat). The incident was reported to HHS as affecting “501” patients, a placeholder entry indicating that McLaren did not yet know the total number of affected patients. The number of patients affected was subsequently updated to HHS as 2,103,881.
Based on BlackCat’s blistering attack on the health system and the data that they leaked as proof of claims (archived image), McLaren apparently did not pay BlackCat’s demands.
How did INC Ransom gain access to McLaren? Was it via the same method(s) as the 2023 attack by BlackCat? We do not know that, either.
And did McLaren decide to pay INC Ransom for fear of the reputation damage a second big breach might cause or because of the interference with patient care? Or did they decide not to pay? Their notification makes no mention at all of any extortion or ransom demands, but INC Ransom did not wind up listing McLaren or Karmanos on their leak site and did not leak their data, which may be our only indication from INC Ransom that their victim paid.
DataBreaches emailed McLaren and Karmanos to ask whether they paid INC Ransom to secure a decryption key and/or to get assurances of data deletion (although we know those can’t be trusted). No reply was immediately available, but this post will be updated if a reply is received or more information on this point becomes available.
If any employee with knowledge of the ransom payment issue cares to reach out, please contact this site by email to tips@databreaches[.]net — just remove the brackets.