Full Report
McLaren Health Care told regulators that a ransomware attack initially reported in August 2024 breached the data of hundreds of thousands of people.
Analysis Summary
# Incident Report: McLaren Health Care Ransomware and Data Exfiltration
## Executive Summary
McLaren Health Care suffered a significant ransomware attack in August 2024, attributed to an "international ransomware group," which resulted in the exfiltration of sensitive data belonging to over 743,000 individuals. The incident forced the organization to operate on downtime procedures, affecting surgeries and non-emergent appointments. The organization is notably the victim of a second major cyber incident, following an attack by the AlphV gang 11 months prior.
## Incident Details
- Discovery Date: August 5, 2024 (Suspicious activity discovered)
- Incident Date: Began as early as July 17, 2024 (Initial unauthorized access)
- Affected Organization: McLaren Health Care and Karmanos Cancer Institute
- Sector: Healthcare
- Geography: Michigan, USA
## Timeline of Events
### Initial Access
- **Date/Time:** As early as July 17, 2024
- **Vector:** Not explicitly detailed in the article, but indicates initial unauthorized access to the computer networks.
- **Details:** Suspicious activity was first discovered on August 5, 2024, confirming a prolonged period of compromise prior to internal detection.
### Lateral Movement
- **Details:** The attack impacted the computer networks of both McLaren Health Care and Karmanos Cancer Institute, implying successful lateral movement across the interconnected infrastructure.
### Data Exfiltration/Impact
- **Details:** Data pertaining to 743,131 individuals was stolen. The breached data included Social Security numbers, health insurance information, names, driver’s license numbers, and medical information. The attack forced the organization into downtime procedures, leading to canceled surgeries and rescheduled non-emergent appointments. A ransom note from the INC ransomware gang was allegedly shared publicly.
### Detection & Response
- **Details:** Suspicious activity was discovered on August 5, 2024. A forensic review was completed recently (prior to the June 23, 2025 report date). McLaren operated under downtime procedures while IT systems were restored. Victims were notified and offered one year of credit monitoring.
## Attack Methodology
- **Initial Access:** Initial unauthorized access achieved on or before July 17, 2024. (Specific vector unknown; possibly phishing, RDP compromise, or vulnerability exploitation, given the ransomware context).
- **Persistence:** Implied, as access was maintained from July 17 until detected on August 5.
- **Privilege Escalation:** Not explicitly detailed.
- **Defense Evasion:** Not explicitly detailed.
- **Credential Access:** Not explicitly detailed, but necessary to move laterally and access sensitive data.
- **Discovery:** Not explicitly detailed, but the threat actor likely performed internal reconnaissance.
- **Lateral Movement:** Successfully impacted the networks of both McLaren Health Care and Karmanos Cancer Institute.
- **Collection:** Collected PII and PHI, including SSNs, driver's license numbers, health insurance data, and medical information.
- **Exfiltration:** Data was successfully exfiltrated prior to disclosure.
- **Impact:** Deployment of ransomware (INC gang suspected) leading to IT system outages and operational disruption (downtime procedures).
## Impact Assessment
- **Financial:** Cost of remediation, downtime, and notification/monitoring services (not quantified).
- **Data Breach:** **743,131 individuals** affected. Compromised data includes Social Security Numbers (SSNs), health insurance information, driver’s license numbers, names, and medical information.
- **Operational:** Forced operation on downtime procedures; cancellation of some surgeries and rescheduling of non-emergent appointments and tests.
- **Reputational:** Significant negative impact due to the scale of the breach and the fact this was the *second* major cyber incident in 12 months for the organization.
## Indicators of Compromise
*(Note: No specific IOCs were provided in the text, only threat group mentions. IPs/URLs are defanged as a best practice.)*
- **Network indicators:** Unknown/Not disclosed.
- **File indicators:** Unknown/Not disclosed.
- **Behavioral indicators:** Deployment of ransomware note associated with the **INC ransomware group**.
## Response Actions
- **Containment measures:** Organization forced to operate using downtime procedures to isolate compromised systems.
- **Eradication steps:** Forensic review completed to determine the scope of the breach.
- **Recovery actions:** Working to restore several downed IT systems. Notified affected victims and offered one year of credit monitoring services.
## Lessons Learned
- The organization suffered two significant cyber incidents (this one, and the AlphV attack 11 months prior), indicating fundamental, recurring gaps in security posture or resilience.
- Prolonged unauthorized access (over two weeks) was possible before detection, suggesting weak monitoring or slow internal threat hunting capabilities.
- The incident highlights the acute operational risk healthcare providers face, where patient care (surgeries, appointments) is directly impacted by IT outages.
## Recommendations
- Immediately implement enhanced network segmentation to prevent the lateral movement observed across McLaren Health Care and Karmanos Cancer Institute environments during the incident.
- Review and harden access controls, particularly concerning initial entry vectors, given the repeated high-profile compromises.
- Conduct a comprehensive security assessment focused on detection latency, as the attack spanned over two weeks before suspicious activity was flagged.
- Enhance offline backup and disaster recovery readiness to minimize operational impact and reliance on ransomware negotiations when systems are encrypted.