McLaren Health Care Data Breach Impacts Over 2.2 Million Individuals

Michigan-based healthcare provider ,McLaren, confirmed the data breach incident, claimed last month by the notorious ransomware gang, BlackCat (also known as ALPHV).

First identified around August 22, 2023, the incident is said to have impacted more than 2.2 million people. Its discovery led to the launch of an investigation which revealed that unauthorized actors had infiltrated its system and accessed certain information stored therein, between July 28, and August 23, 2023.

The third-party assisted investigation of impacted files not only revealed the type of information stolen but also the level of exposure suffered by impacted individuals. ‘’It was through this process, which concluded on October 10, 2023, that we determined that information pertaining to you may have been included in the potentially impacted files,’’ the notification revealed.

The information which varied by individuals included the names, social security numbers, birth, and health insurance details. Medical records like physician, medication, diagnosis, treatment, Medicare/Medicaid, and billing or claims information, as well as medical record number.

McLaren Health Care stated that no evidence was found of any misuse of stolen data by the hackers. However, one cannot negate the possibility of the data being sold on the dark web for nefarious purposes including, identity theft, phishing attacks, insurance, or medical frauds, etc.

In addition to securing its network, the healthcare provider has informed the concerned US authorities and notified the impacted people through emails about the incident. It is also offering a 12-month free identity theft protection services through IDX to the concerned individuals.

‘’While there is currently no evidence that your information has been misused, we recommend that you remain vigilant, monitor and review all of your financial and account statements and explanations of benefits, and report any unusual activity to the institution of record and to law enforcement,’’ McLaren advised.

The breach first came to notice when ALPHV claimed responsibility for the attack in the first week of October, and published sample data sets on its blog.