Fraud Management & Cybercrime , Legislation & Litigation , Ransomware
Officials Warn of Risks as McLaren Recovers From Attack
Michigan AG and Lawmaker Want Michigan to Bolster Cyber ProtectionsAs McLaren Health Care continues to restore its IT systems in the wake of a disruptive ransomware attack last week, some Michigan government officials are warning consumers about potential cybercrimes and other serious concerns stemming from that and similar security incidents involving healthcare groups in the state.
See Also: Twelve Steps to Safeguarding Critical Data and Meeting PCI Compliance
Michigan Attorney General Dana Nessel in an alert is urging consumers to be proactive in monitoring their credit and other accounts in the wake of the second major cyberattack on McLaren Health within the last year.
Grand Blanc, Michigan-based McLaren Health operates 13 hospitals and other facilities in the state, including Michigan's largest network of cancer care centers.
"These events serve as a clear warning that our most private information is under constant threat from cybercriminals," Nessel said. "I encourage everyone to be diligent in safeguarding their accounts and to be on the lookout for any indications of personal data exploitation."
Nessel said in the alert that Michigan is still among the minority of states that do not require major data breaches to be reported to state regulators, such as the attorney general's office.
"While more than 30 other states have laws requiring state notification of significant breaches, Michigan is not among them, and consumer protection agencies like ours often only learn of these attacks by media reporting," she said.
McLaren Health's latest attack - which came on the heels of a May ransomware attack on Ascension that disrupted that organization's IT services at more than 100 hospitals across several states, including in Michigan - is drawing the attention of some Michigan state lawmakers.
State Rep. Donni Steele, a Republican who represents Michigan's Orion Township, last week called upon the state's Legislature "to enhance the penalties for waging ransomware attacks and improve partnerships with local law enforcement to better respond to ransomware."
Currently, the maximum penalty for hacking into a computer system in Michigan is only up to five years in prison, while the maximum penalty "for possessing ransomware" is up to three years in prison, Steele said in a statement.
"It's unacceptable that criminal gangs who maintain a stranglehold over healthcare services for our communities face only five years in prison if they're caught," she said. "These attacks disrupt medical treatment for people in need. No cancer patient or expecting mother should have to worry about cybercriminals when seeking care at a local hospital."
"Lax punishments for ransomware attacks are opening the door for these criminals to target people and businesses in Michigan," Steele said. "Clearly, this threat is not going away. Lawmakers cannot just sit on the sideline and hope everything works out."
Steele urged her fellow lawmakers to take a "holistic approach and ensure that the state and federal government is partnering with local law enforcement" to combat cyberthreats.
"We need to guarantee police have whatever resources they need to protect our healthcare system," she said.
Steele did not immediately respond to Information Security Media Group's request for additional comment, including whether she planned to introduce healthcare cybersecurity legislation.
Latest Attack
Last week's attack on McLaren Health, allegedly carried out by ransomware group INC Ransom, is the second time in less than a year that a cybercriminal gang hacked the organization (see: McLaren Health Hit with Ransomware for Second Time in a Year).
Last October, Russian-speaking ransomware gang BlackCat/Alphv claimed to have stolen 6 terabytes of McLaren Health data - compromising sensitive information of more than 2 million patients. McLaren Health, which said at the time it detected suspicious activity on its network months earlier - in August 2023 - has not publicly disclosed whether it paid a ransom to BlackCat. (see: Group Claims it Stole 2.5 Million Patients' Data in Attack).
McLaren Health reported its 2023 ransomware breach to the U.S. Department of Health and Human Services on Oct. 23, 2023, with a placeholder estimate of only 501 individuals being affected.
While McLaren Health is still facing several proposed federal class action lawsuits involving that earlier hack, a handful of law firms - including Migliaccio & Rathod LLP and Console & Associates P.C. - issued statements in recent days indicating they are already teeing up possible litigation related to the latest attack (see: McLaren Health Care Facing 3 Lawsuits in Ransomware Hack).
In a statement about the incident last updated on Monday, McLaren Health said it's continuing efforts to fully restore its operations following last week's cyberattack.
McLaren Health's hospitals and clinics are "largely operational," including radiation therapy units at its Karmanos Cancer Institute care facilities across the state, the statement says. Still, ambulances at some McLaren Health hospitals remain on diversion for certain conditions, the entity said.
McLaren Health also said it is still determining whether any patient or employee data was compromised.
McLaren Health did not immediately respond to ISMG's request for additional details about the ongoing incident, including when IT systems are expected to be fully restored and if McLaren Health paid a ransom to the threat actors.
Building Resiliency
The latest attack on McLaren and similar disruptive incidents involving other medical providers across the U.S. continue the disturbing trend hitting the healthcare sector, some experts said.
"The days of cybersecurity being just about security are over for healthcare," said former healthcare CIO David Finn, an executive vice president at security consulting firm First Health Advisory. "The name of the game here is cyber resilience," he said.
"Regardless of whether it’s an attack, a power outage, a bad upgrade, or a critical third party, you must have a plan and actions to continue operating when systems go down and address how you will continue to provide patient care and conduct routine operations when the bad thing happens - before, not in the middle of the incident," he said.