Michigan Attorney General Dana Nessel is reminding residents about consumer protection tips in the wake of McLaren Health Care’s recent IT disruption.
“These events serve as a clear warning that our most private information is under constant threat from cybercriminals,” said Nessel. “I encourage everyone to be diligent in safeguarding their accounts and to be on the lookout for any indications of personal data exploitation. Unfortunately, at this time information is scarce as to what information may have been exposed. While more than 30 other states have laws requiring State notification of significant breaches, Michigan is not among them, and consumer protection agencies like ours often only learn of these attacks by media reporting.”
Nessel wants consumers to understand the importance of protecting their medical information after a data breach and to recognize the warning signs that may indicate someone is using their information. Affected individuals should watch out for:
- A bill from your doctor for services you didn’t receive.
- Errors in your Explanation of Benefits (EOB), like services you never received or medications you don’t take.
- Calls from debt collectors about medical bills you don’t owe.
- Medical debt collection notices on your credit report that you don’t recognize.
- A notice from your health insurance company saying you’ve reached your benefit limit.
- Denied insurance coverage due to a pre-existing condition you don’t have.
A statement on McLaren’s website indicates the disruption, which was reported on Tuesday, August 6, was the result of a “criminal cyber attack.” McLaren’s statement goes on to indicate its facilities are “largely operational,” but admits it has limited access to its systems.
In October of last year, McLaren was the victim of another attack by a cybercriminal gang known as BlackCat/AlphV, which claimed to have stolen sensitive personal health information of 2.5 million McLaren patients. Approximately 2,148,749 Michigan residents were sent data breach notice letters advising that certain personal information may have been impacted.
McLaren Health Care is a 13-hospital integrated healthcare system based in Grand Blanc, Michigan. Among its facilities is Michigan’s largest network of cancer centers and providers.
If you receive a notification letter or hear about a data breach at one of your medical providers, take these steps to secure your medical and financial accounts:
- Change the passwords on any medical portals you use.
- Check your EOBs from insurers carefully.
- Contact your bank and credit card issuers to place an alert on your accounts.
For more information on how to respond to data breaches, read Attorney General Nessel's consumer alert "Data Breaches: What to Do Next."
If consumers are concerned that their data may have been impacted, they can also consider freezing their credit. A credit freeze prevents creditors—such as banks or lenders—from accessing individuals’ credit reports. This will stop identity thieves from taking out new loans or credit cards in consumers' names because creditors will not approve their loans or credit requests if they cannot first access their credit reports. By law, a credit bureau must allow you to place, temporarily lift, or remove a credit freeze for free.
When consumers freeze their credit with each bureau, the bureaus will send them a personal identification number (PIN). The consumers can then use that PIN to unfreeze their credit if they want to apply for a loan or credit card. Consumers can also use the PIN to freeze their credit again after they have applied for loans or new credit cards.
Individuals will have to freeze their credit with each bureau: Experian (+1 (888) 397-3742), Equifax (+1 (888) 766-0008), and TransUnion (+1 (800) 680-7289).
Cyber attacks in the healthcare sector have been increasing along with the severity of data breaches. The largest data breach in 2023 compromised over eight million records. In 2022, eight out of eleven biggest data breaches happened at hospitals or health systems.
Ransomware is one of the most common threats against healthcare organizations. The FBI received 870 complaints of ransomware attacks last year—210 from healthcare entities—more than any other sector.
The healthcare industry is highly targeted by cyber attacks because it stores large amounts of Personal Health Information (PHI). These data breaches are costly; with an average breach costing over $11 million to fix.
The McLaren attack comes only months after a ransomware attack on St. Louis-based Catholic healthcare system Ascension—which operates fifteen hospitals in Michigan—and only weeks after Michigan Medicine announced that up to 56,953 patients may have had some health information compromised when employee emails were hacked between May 23 and May 29 this year.
McLaren has not provided a date for when its systems will be fully functional again.