On September 30, AlphV threat actors (aka BlackCat) added McLaren Health Care to their dark web leak site. They updated their listing on October 4, claiming to have data on 2.5 million people. That same week, McLaren confirmed that they had been the victim of a ransomware attack it first detected on August 22. Michigan’s Attorney General Nessel also issued a press release that week to inform citizens and provide them with steps to take to remain vigilant and protect themselves.
While McLaren confirmed an attack and was able to provide some preliminary information, they did not have any specific numbers and sent a marker “501” report to HHS to indicate that they knew more than 500 patients had been affected and that a report was required.
This week McLaren notified the Maine Attorney General’s Office that a total of 2,192,515 people were affected by the incident. A copy of their notification letter was also submitted to the California Attorney General’s Office.
From their notification letter:
On August 31, 2023, we learned the unauthorized actor had the ability to acquire certain information stored on the network during the period of access. The information impacted varied by individual and not all information was available for every individual. The information that may have been impacted includes some combination of certain individuals’ names and the following: Social Security number, health insurance information, date of birth, and medical information including billing or claims information, diagnosis, physician information, medical record number, Medicare/Medicaid information, prescription/medication information, diagnostic and treatment information.
McLaren is offering those affected complimentary mitigation services through IDX. Information is available on IDX’s website for this incident. Letters are also being mailed directly to individuals affected by this breach. For more information or assistance with questions regarding this incident, McLaren asks that people please call IDX at (888) 867-1630, scan the QR code in the notification letter, or go to IDX’s site for the incident.