Download free DLP for AI whitepaper


  • McLaren Health Care data breach impacts 2.2 million people, echoing a previous ransomware incident.
  • Breach timeline: Unauthorized access from July 28, discovery on August 31, disclosure in November.
  • Highly-sensitive data was exposed, including SSNs, health insurance information, and medical records.
  • Allegations of a cover-up by ransomware group ALPHV/BlackCat occurred in October.
  • It’s necessary to prioritize incident response to avoid severe consequences and protect your organization.

Does this headline give you a case of deja vu? That’s because, only last month, a ransomware group claimed to steal the personal health information (PHI) of 2.2 million patients registered with McLaren Health Care.

However, it’s only now that McLaren is acknowledging the breach. What happened, and why the discrepancy? 

Let’s find out. 

What happened with the McLaren Health Care breach?

On November 9, Michigan-based healthcare nonprofit McLaren Health Care shared a data breach notification report and notified more than 2 million people about a breach exposing their personal information. 

According to a notice on the McLaren website, unauthorized access to McLaren systems began on July 28, with the company realizing it had been breached on August 31. 

McLaren then conducted an investigation into the attack, which concluded on October 10—although, it took the company a month to let the public know about the incident.  

According to the evidence, the unauthorized actor(s) got their hands on the following types of lucrative, highly sensitive data during their attack: 

  • Full name
  • Social security number (SSN)
  • Health insurance information
  • Date of birth
  • Billing or claims information
  • Diagnosis
  • Physician information
  • Medical record number
  • Medicare/Medicaid information
  • Prescription/medication information
  • Diagnostic results and treatment information

In its notification, McLaren has stated that all impacted individuals will receive email communications confirming that their data was compromised, along with instructions on enrolling to identity protection services for a year. 

Interestingly, McLaren says it currently holds no evidence that cybercriminals abused the exposed data. However, the company has kind of undermined this statement by noting that:

“Potentially affected current and former patients of McLaren are encouraged to remain vigilant against incidents of identity theft by reviewing account statements and explanations of benefits for unusual activity and to report any suspicious activity promptly to your insurance company, health care provider, or financial institution.” 

Let’s rewind a month… 

While McLaren has been rather cagey about how this data breach happened, the hacking group that is 99% responsible has been very vocal.

We’re talking about the ALPHV/BlackCat ransomware gang. A whole month ago, in October, they released a post on the dark web claiming to have stolen data belonging to 2.5 million of McLaren Health Care patients, and added McLaren Health Care to the list of victims on its dark web site.

Given that the number of impacted patients is pretty much identical, we can deduce that the two incidents are one and the same. So, why has it taken McLaren so long to let its patients know?

According to ALPHV/BlackCat ransomware gang, there may be a cover up at play. On the Tor leak site, the threat actors stated that: 

“A Mclaren representative…asked not to publish the stolen data and skillfully wanted to cover up the fact that their network had been hacked. Mclaren was preparing a way out and ended up devaluing the sensitive data of 2.5 million of their patients.”

What will happen to McLaren Health Care now? 

In October, when news of the ransomware attack surfaced, law firms acted swiftly, with multiple lawsuits initiated against McLaren asserting the company neglected to implement the necessary safeguards for safeguarding patient data privacy.

According to the lawsuits, this breach is seen as a violation of its obligations under several regulations, including the FTC Act, Gramm-Leach-Bliley Act (GLBA), Health Insurance Portability and Accountability Act (HIPAA), Michigan Consumer Protection Act, and Michigan data breach notification law.

Now that McLaren has publicly acknowledged the breach, there’ll no doubt be even more lawsuits filed in the upcoming days.

Lessons learned from the McLaren Health Care breach

For organizations reading this, the lesson is crystal clear: prioritize the incident response process.

Identifying, addressing, and reporting data security incidents is not a matter of choice. Attempting to bypass this process will only result in more severe consequences, including higher fines, additional legal action, and significant damage to your reputation.

Looking to reduce the likelihood of a successful data breach? Find out more about how Polymer data loss prevention (DLP) can help today

Polymer is a human-centric data loss prevention (DLP) platform that holistically reduces the risk of data exposure in your SaaS apps and AI tools. In addition to automatically detecting and remediating violations, Polymer coaches your employees to become better data stewards. Try Polymer for free.


Get Polymer blog posts delivered to your inbox.