NOTICE: If you received a Notice of Data Breach letter from McLaren, contact the Arnold Law Firm at (916) 777-7777 to discuss your legal options, or submit a confidential Case Evaluation form here.
In early October 2023, McLaren publicly announced that they suffered a data breach between late August and early September of 2023 when a ransomware gang known as BlackCat/AlphV accessed McLaren’s billing systems and electronic medical records and stole approximately 6 terabytes of McLaren’s data, which includes the sensitive personal information of as many as 2.5 million patients (“Data Breach”). To make matters worse, BlackCat/AlphV ransomware gang claims that they are still actively stealing information and are continuing to operate a “backdoor” on McLaren’s systems.
McLaren is also investigating reports that some of the data stolen in the Data Breach may be available on the Dark Web. Specifically, McLaren has stated that “[b]ased on our investigation, we have determined that we experienced a ransomware event. We are investigating reports that some of our data may be available on the dark web and will notify individuals whose information was impacted, if any, as soon as possible.”
McLaren is a $6.6 billion fully integrated health care delivery system headquartered in Grand Blanc, Michigan. The McLaren system is comprised of 13 hospitals in Michigan, ambulatory surgery centers, imaging centers, a 490-member employed primary and specialty care physician network, commercial and Medicaid HMOs covering more than 732,838 individuals in Michigan and Indiana, and more. McLaren employs 28,000 individuals and more than 113,000 network providers throughout Michigan, Indiana, and Ohio.
McLaren has not made any announcement as to whether they plan to offer credit monitoring and identity protection services to victims of the Data Breach. McLaren has also not yet confirmed which types of Personally Identifiable Information (“PII”) or Protected Health Information (“PHI”) were exposed in the Data Breach.
PII is important because it tells others about you and is considered part of your identity. Businesses are required to secure this information or risk facing statutory penalties, among other legal penalties. Stolen PII can be used by identity thieves to engage in fraudulent activity using your identity.
PHI (a specific type of PII) is protected under both state and federal law. Health care providers and other businesses who handle PHI are required to protect that information. Like stolen PII, stolen PHI can be used by identity thieves to engage in fraudulent activity using your identity. Quite often, PII and PHI are used in conjunction by hackers.
The best way to protect yourself after a data breach is to sign up for credit and identity protection services as soon as possible. California offers extra protections and legal rights to its residents through the California Consumer Privacy Act (“CCPA”).
NOTICE: If you received a Notice of Data Breach letter from McLaren, contact the Arnold Law Firm at (916) 777-7777 to discuss your legal options, or submit a confidential Case Evaluation form here.