Overview
On October 3, 2023, McLaren Health Care, one of Michigan's largest healthcare providers, fell victim to a significant ransomware attack. The attackers claimed to have exfiltrated 6 terabytes of data, potentially affecting up to 2.5 million patients. McLaren is actively investigating the incident and will be notifying affected individuals once a thorough assessment is completed.
The breach likely originated from a phishing email or a compromised server, with suspicious activity detected in late August. McLaren responded promptly by taking its systems offline to conduct a thorough investigation, confirming the incident as a ransomware attack.
Impact
The incident potentially affects millions of patients, with ongoing assessments to determine the extent of system, data, and compliance impacts. Critical systems and sensitive data may have been compromised, heightening concerns regarding data security and privacy. Hospitals in 4 states were forced to cancel appointments, redirect ambulances, and made to use paper records. In addition, this attack may have contributed to the closing of 2 hospitals in Connecticut. As of now, the notorious ALPHV/BlackCat ransomware gang claimed responsibility for the attack. The topic of ransomware attacks on hospitals and other healthcare institutions reached Congress this week.
Response & Recovery
McLaren's response included containment efforts to limit the ransomware's spread. They have an incident response plan, though its effectiveness is currently being reviewed. Communication with stakeholders, including executives, employees, customers, and regulatory bodies, was executed promptly and transparently. HIPPA regulations require hospitals to report cyberattacks. McLaren promptly engaged global cybersecurity specialists and coordinated with law enforcement agencies. Steps are being taken to bolster the organization's cybersecurity posture, focusing on ensuring system security and minimizing disruption to patient care and community services. While systems remain operational, the status of billing and record systems restoration is yet to be confirmed. McLaren has not disclosed their stance on ransom payment.
As a result of this incident, McLaren is prioritizing the reinforcement of security measures to prevent future ransomware attacks. A comprehensive approach to technical hardening will be employed, incorporating the lessons learned from this incident into future security practices. The aim is to establish a more resilient and secure infrastructure.
Recommendations
Executives should prioritize reinforcing cybersecurity measures to prevent future incidents. Conduct comprehensive security audits and implement robust preventive strategies. Access Point recommends users be educated about the risks associated with phishing emails, suspicious links, and attachments, and encouraged to exercise caution and verify the legitimacy of received emails. For example, teaching users how to hover over links and sender addresses, and how to report emails as phishing. Users are encouraged to use advanced email filtering and security solutions that can detect and block phishing emails containing malicious URLs and attachments. Ensure that all software, including operating systems and applications, are up-to-date with the latest security patches to protect against known vulnerabilities. Employ comprehensive endpoint protection solutions to detect and mitigate malware infections. This should include robust antivirus software and behavior-based detection mechanisms. Continuously monitor network traffic for suspicious activities, especially connections to known malicious domains or IPs associated with these campaigns. Have a well-defined incident response plan in place to efficiently handle and mitigate any security incidents that may arise from ransomware campaigns.
.webp)
.png)
