Data breach of Michigan healthcare giant exposes millions of records

An unauthorized actor accessed personal information, like social security numbers, earlier this year.

Manuel Augusto Moreno via Getty Images

Michigan-based healthcare nonprofit McLaren Health Care notified more than 2 million people about a data breach exposing personal information on Thursday, according to a data breach notification report. Unauthorized access to McLaren systems began on July 28 and lasted through August, but the individual impact varies from person to person.

According to a notice on the McLaren website, the company learned of the breach on August 31. An investigation into the impacted files concluded on October 10, and if you'll take a look at today's date, it took an additional month for the company to let the public know about the incident.

"Potentially affected current and former patients of McLaren are encouraged to remain vigilant against incidents of identity theft by reviewing account statements and explanations of benefits for unusual activity and to report any suspicious activity promptly to your insurance company, health care provider, or financial institution," the nonprofit said in a statement.

While McLaren hasn't released any details about the attack, such as who is behind it or possible motivations, the ALPHV/BlackCat ransomware group claimed responsibility for the attack, according to Bleeping Computer. Ransomware groups are known to do this for publicity, but the actor behind an attack usually can't be confirmed until a third-party security researcher independently verifies it.

McLaren encompasses 13 hospitals and employs 490 physicians across Michigan and Indiana, with an annual revenue of $6.6 billion. Its offering identity protection services to affected people that enroll by February 9. There's currently no evidence that data leaked in the breach has been misused, according to McLaren.