Fraud Management & Cybercrime , Healthcare , Industry Specific

Group Claims It Stole 2.5 Million Patients' Data in Attack

McLaren Health Care Ransomware Incident Among Latest Alleged Alphv/BlackCat Attacks
Group Claims It Stole 2.5 Million Patients' Data in Attack
Alphv/BlackCat claims to have stolen the data of 2.5 million McLaren Health Care patients. (Image: McLaren Health Care)

Ransomware-as-a-service gang Alphv/BlackCat claims to have stolen 6 terabytes of data on 2.5 million patients in a recent attack on Michigan-based McLaren Health Care, which operates 13 hospitals and dozens of other medical facilities, including a network of cancer centers.

See Also: Healthcare in The Cloud: Detecting and Overcoming Threats to Ensure Continuity & Compliance

In late August, McLaren Health Care detected "suspicious activity" on its computer network, immediately launched an investigation into the source of the disruption, and retained outside global cybersecurity specialists to assist, McLaren told Information Security Media Group in a statement Tuesday.

"We temporarily disconnected our network from the internet out of an abundance of caution," the statement said. McLaren said its facilities remained "operational" and that the organization continued to provide "exceptional" care to patients during the incident.

All of the entity's systems are currently back online, a McLaren spokesman told ISMG.

But on Friday, the Russian-speaking Alphv cybercrime gang, also known as BlackCat, which is a spinoff of the now-defunct Conti ransomware group, claimed on its dark web site to have stolen "sensitive data" of 2.5 million McLaren patients. The threat actor says its "backdoor is still running" on McLaren's network.

"Based on the current analysis with our cybersecurity specialists, we do not see evidence to this claim," the McLaren spokesman told ISMG.

McLaren said its investigation has determined that the entity did experienced a ransomware event. "We are investigating reports that some of our data may be available on the dark web and will notify individuals whose information was impacted, if any, as soon as possible," McLaren said in the statement.

McLaren also said it has been in touch with law enforcement and that the organization has taken measures to further strengthen the cybersecurity of its systems.

McLaren, headquartered in Grand Blanc, Michigan, is a $6.6 billion, integrated healthcare delivery system. Among its other facilities, McLaren operates Michigan’s largest network of cancer centers and providers. McLaren's Karmanos Cancer Institute is one of about 56 National Cancer Institute-designated comprehensive cancer centers in the U.S.

McLaren is also part of a growing list of organizations in the healthcare and other sectors allegedly victimized by a growing number of recent Alphv attacks.

In January, U.S. Department of Health and Human Services issued a warning for the healthcare and public health sectors about threats posed by BlackCat, as well as by the ransomware group Royal (see: BlackCat, Royal Among Most Worrisome Threats to Healthcare).

Soon after the HHS warning, Alphv/BlackCat claimed a number of other healthcare sector victims, including an attack in February on Lehigh Valley Health Network, which operates 13 hospitals and numerous physician practices and clinics in eastern Pennsylvania.

In that attack, Alphv/BlackCat leaked on its dark web site stolen patient information, including screenshots of diagnoses and photos of disrobed breast cancer patients that were contained in the individuals' medical care records (see: BlackCat Leaking Patient Data and Photos Stolen in Attack).

Threat monitoring firm as of Tuesday has attributed 111 attacks to Alphv/BlackCat.

"Alphv/BlackCat is particularly interested in the healthcare sector, and not many threat groups are targeting healthcare - for ethical reasons," said Christiaan Beek, senior director of threat analytics at security firm Rapid7.

"They are also very vocal in the press about their victims and even offer an API on their website so you can automate their announcements about new victims into your own tracking of data feeds," Beek said. "This tells us that they are adept at utilizing both technology and the media in an attempt to get their victims to pay faster."

In September, Alphv claimed credit for attacking casino and hotel operators MGM Resorts and Caesars Entertainment.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.