Group Claims It Stole 2.5 Million Patients' Data in AttackMcLaren Health Care Ransomware Incident Among Latest Alleged Alphv/BlackCat Attacks
Ransomware-as-a-service gang Alphv/BlackCat claims to have stolen 6 terabytes of data on 2.5 million patients in a recent attack on Michigan-based McLaren Health Care, which operates 13 hospitals and dozens of other medical facilities, including a network of cancer centers.
In late August, McLaren Health Care detected "suspicious activity" on its computer network, immediately launched an investigation into the source of the disruption, and retained outside global cybersecurity specialists to assist, McLaren told Information Security Media Group in a statement Tuesday.
"We temporarily disconnected our network from the internet out of an abundance of caution," the statement said. McLaren said its facilities remained "operational" and that the organization continued to provide "exceptional" care to patients during the incident.
All of the entity's systems are currently back online, a McLaren spokesman told ISMG.
But on Friday, the Russian-speaking Alphv cybercrime gang, also known as BlackCat, which is a spinoff of the now-defunct Conti ransomware group, claimed on its dark web site to have stolen "sensitive data" of 2.5 million McLaren patients. The threat actor says its "backdoor is still running" on McLaren's network.
"Based on the current analysis with our cybersecurity specialists, we do not see evidence to this claim," the McLaren spokesman told ISMG.
McLaren said its investigation has determined that the entity did experienced a ransomware event. "We are investigating reports that some of our data may be available on the dark web and will notify individuals whose information was impacted, if any, as soon as possible," McLaren said in the statement.
McLaren also said it has been in touch with law enforcement and that the organization has taken measures to further strengthen the cybersecurity of its systems.
McLaren, headquartered in Grand Blanc, Michigan, is a $6.6 billion, integrated healthcare delivery system. Among its other facilities, McLaren operates Michigan’s largest network of cancer centers and providers. McLaren's Karmanos Cancer Institute is one of about 56 National Cancer Institute-designated comprehensive cancer centers in the U.S.
McLaren is also part of a growing list of organizations in the healthcare and other sectors allegedly victimized by a growing number of recent Alphv attacks.
In January, U.S. Department of Health and Human Services issued a warning for the healthcare and public health sectors about threats posed by BlackCat, as well as by the ransomware group Royal (see: BlackCat, Royal Among Most Worrisome Threats to Healthcare).
Soon after the HHS warning, Alphv/BlackCat claimed a number of other healthcare sector victims, including an attack in February on Lehigh Valley Health Network, which operates 13 hospitals and numerous physician practices and clinics in eastern Pennsylvania.
In that attack, Alphv/BlackCat leaked on its dark web site stolen patient information, including screenshots of diagnoses and photos of disrobed breast cancer patients that were contained in the individuals' medical care records (see: BlackCat Leaking Patient Data and Photos Stolen in Attack).
Threat monitoring firm Darkfeed.io as of Tuesday has attributed 111 attacks to Alphv/BlackCat.
"Alphv/BlackCat is particularly interested in the healthcare sector, and not many threat groups are targeting healthcare - for ethical reasons," said Christiaan Beek, senior director of threat analytics at security firm Rapid7.
"They are also very vocal in the press about their victims and even offer an API on their website so you can automate their announcements about new victims into your own tracking of data feeds," Beek said. "This tells us that they are adept at utilizing both technology and the media in an attempt to get their victims to pay faster."