McLaren Health Care Notifies Almost 750,000 Individuals About August 2024 Ransomware Attack
McLaren Health Care in Michigan has started notifying 743,131 individuals that some of their protected health information was compromised in an August 2024 ransomware attack.
McLaren Health Care had previously announced the ransomware attack; however, it has taken time to review the files compromised in the incident, hence the delay in issuing individual notification letters. The letters explain that unauthorized access to its computer systems was detected on or around August 5, 2024. Assisted by third-party cybersecurity experts, McLaren Health Care learned that there was unauthorized access to the systems used by McLaren Health Care and its Karmanos cancer centers between July 17, 2024, and August 3, 2024.
The forensic analysis of the affected files was extensive and time-consuming, and was completed on May 5, 2025, when it was confirmed that personal information and protected health information were present in the compromised files. The data compromised in the incident included names, Social Security numbers, driver’s license numbers, medical information, and health insurance information. Individual notification letters were mailed on or around June 20, 2025, and complimentary credit monitoring and identity theft protection services have been offered for 12 months.
The notification letters do not state that this was a ransomware attack, and there is no mention of the Inc. Ransom ransomware group, which was previously linked with the attack. The Inc Ransom data leak site does not list McLaren Health Care, which suggests the ransom demand may have been paid, although that has not been confirmed by McLaren Health Care.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
This was the second ransomware attack suffered by McLaren Health Care in the space of a year. The previous attack was conducted by the ALPHV/BlackCat ransomware group and involved the theft of the protected health information of 2,103,881 individuals.
August 28, 2024: McLaren Health Care Restores IT Systems Following Ransomware Attack
McLaren Health Care has announced that it has successfully restored all IT systems affected by its August 5, 2024, ransomware attack, including its electronic medical record (EHR) system. In an earlier announcement, McLaren Health Care said it did not anticipate being able to fully restore access to all IT systems until the start of September, so the nonprofit healthcare provider has completed the restoration work a few days ahead of schedule.
In the latest announcement, McLaren Health Care confirmed that all emergency departments are open and are receiving all conditions via emergency medical services. All surgeries due to take place from August 27, 2024, are proceeding as planned, radiation therapy units at the Karmaros Cancer Institute and the McLaren Stroke Network are fully operational, primary and specialty care offices are operational and are accepting appointments, and patients can now schedule outpatient diagnostic imaging procedures.
“McLaren Health Care leadership extends its sincere gratitude to its patients for their understanding, assistance, and patience as its teams worked tirelessly and diligently to fully restore its network,” explained McLaren Health Care in its latest update. “Special recognition is also owed to the extraordinary commitment, dedication, and resilience demonstrated by McLaren team members, whose exemplary efforts throughout the cyberattack have been inspiring.”
The restoration of IT systems is only one step in its recovery, as while the temporary procedures, such as manually recording patient information, have now been lifted, there is still considerable work left to do. McLaren Health Care is rescheduling all appointments and surgeries postponed or canceled due to the ransomware attack, and patient data recorded manually over the past three weeks must now be entered into the EHR. That process has already started, but McLaren Health Care expects it will take several weeks to complete.
McLaren Health Care is not yet in a position to confirm to what extent, if any, patient data was compromised in the attack. The analysis is ongoing, and if it is determined that patients’ protected health information has been exposed or stolen, McLaren will issue individual notifications and inform regulators about the HIPAA data breach.
August 21, 2024: McLaren Health Care Anticipates September Recovery From Ransomware Attack
McLaren Health Care has provided an update on its recent cyberattack and has confirmed that ransomware was used to encrypt files on its network. The incident caused disruption to its IT systems and is affecting all 13 of its hospitals, and its Karmanos cancer centers, surgery centers, and clinics. McLaren Health Care said the attack has been contained, although access to its systems remains limited and a full recovery is not expected until September. While its facilities are still facing disruption, McLaren Health Care said its hospitals and clinics remain largely operational, and patients should use its services as normal unless contacted and informed otherwise.
Since access to IT systems is limited, patients have been advised to bring a list of current medications/empty prescription bottles, printed physician orders for imaging studies or treatments, printed results of recent lab tests available in the patient portals, and a list of any allergies. The forensic investigation is ongoing, and the extent of any data breach has yet to be determined. If it is determined that patient information has been exposed or stolen, individual notifications will be mailed to the affected individuals.
“Our employees are absolutely inspiring. Under extremely trying circumstances, McLaren teams on the frontlines and those in support roles across the state have answered the call. From doctors and nurses to dietary professionals, administrative assistants, patient advocates, and all team members in between, our patients, their families, and our communities will be forever grateful for your resilience and kindness. Thank you,” said Phil Incarnati, President and CEO of McLaren Health Care. “We kindly ask patients seeking care and visitors to our facilities for their continued patience. Our clinical and support teams are some of the best out there, but they are working in a very challenging environment while we recover from this attack. They are the ones showing up on the frontlines every day to ensure our communities receive the care they need.”
August 8, 2024: McLaren Health Care Confirms Outage Caused by Cyberattack
McLaren Health Care has confirmed that the outage it has been experiencing since Monday, August 5, 2024, was due to “a criminal cyberattack.” External cybersecurity experts are assisting its information technology team in confirming the scope of the attack and mitigating its impact. The investigation is still in the early stages, and it is currently unknown to what extent patient and employee information has been compromised. McLaren Health Care has not yet released any further information on the exact nature of the cyberattack, such as whether ransomware was used. McLaren Health Care said its facilities are largely operational and most scheduled appointments and surgeries are going ahead as planned but some non-emergency appointments, tests, and treatments have been rescheduled.
As previously reported, this appears to have been an attack by the Inc. Ransom group. The Inc. Ransom group has been in operation for about a year, with the first known attacks conducted in August 2023. The group has been observed gaining initial access to healthcare networks through spear phishing, compromised credentials, and targeting vulnerable services. According to Cybereason, Inc. Ransom employs partial encryption combined with a multi-threading approach, which speeds up the encryption process considerably. The group engages in double extortion tactics, stealing data and issuing ransom demands. The ransom must be paid to obtain the decryption keys and prevent the publication of the stolen data on its data leak site.
Previous healthcare victims include Mainline Health System, West Idaho Orthopedics, Norman Urology Associates, Continuing Healthcare Solutions, Pinnacle Orthopaedics, Seneca Nation Health System, and NHS Scotland. At present, McLaren Health Care has not been added to the group’s data leak site.
August 7, 2024: McLaren Health Care Investigating Potential Cyberattack
McLaren Health Care, a Grand Blanc, MI-based health system that operates 13 hospitals in Michigan and many ambulatory surgery centers, physician offices, and other care facilities in the state, has announced that it is investigating an outage affecting its phone and computer systems. The cause of the disruption has not yet been determined, although it is possible that the disruption is the result of a ransomware attack. There have been unconfirmed reports of ambulances being directed to other facilities, which is standard procedure when access to electronic medical records is lost.
Some non-emergency or elective procedures may be rescheduled out of an abundance of caution; however, the patients have been advised to keep their appointments unless they are contacted by a hospital employee and asked to reschedule. Without access to computer systems, staff are unable to access patient information, so downtime procedures have been implemented.
Patients have been advised to bring a list of current medications to their appointments or empty prescription bottles, a list of any allergies, printed physician orders for imaging studies and treatments, and printed results of any recent lab tests. While there has been disruption to certain websites, the McLaren Health Care patient portal and the Karmanos patient portal appear to function correctly.
“We understand this situation may be frustrating to our patients – and to our team members – and we deeply and sincerely apologize for any inconvenience this may cause,” explained McLaren Health Care. “We kindly ask for your patience while our caregivers and support teams work as diligently as ever to provide our communities the care they need and deserve.” At such an early stage of the investigation, McLaren Health Care is unable to provide a timeline for when the affected systems will be restored.
A Reddit user has posted a copy of a ransom note from the Inc Ransom group, but it has not been possible to verify the authenticity of the note, and the ransomware group’s sites are currently inaccessible. This would not be the first ransomware attack on McLaren Health Care. Last year, it was the victim of a ransomware attack by the AlphV ransomware group.
