Michigan hospital system recovers after cyberattack

Nearly three weeks McLaren Health Care disclosed that it experienced a cyberattack, the Michigan health system says it has restored key services and is operating normally.

McLaren Health Care says it has restored key systems after the Michigan-based provider suffered a ransomware attack earlier this month.

McLaren said this week that it had restored its information technology platforms, and all providers have access to electronic health records. The system reported that it suffered a cyberattack in early August, and it’s the second cyberattack McLaren has suffered in a year.

While McLaren continued caring for patients, the system said it postponed some non-emergency surgeries due to the attack. The system said it has rescheduled surgeries or is in the process of setting up new dates for those postponed procedures. A few hospitals diverted ambulances to other facilities in the initial days of the attack.

McLaren confirmed earlier this month that the system has suffered a ransomware attack, and it affected the organization’s 13 hospitals, along with its surgery centers, cancer centers and clinics.

For McLaren, the restoration proceeded more quickly than expected. McLaren had initially projected systems wouldn’t be fully restored until the end of the month, but the work was done ahead of schedule.

“McLaren Health Care leadership extends its sincere gratitude to its patients for their understanding, assistance, and patience as its teams worked tirelessly and diligently to fully restore its network,” the system said in a release.

It’s still not clear what records, if any, may have been exposed. McLaren says it’s continuing to work with cybersecurity experts to determine if patient and employee information was exposed, and how many records may have been compromised. McLaren says it will contact individuals directly if it’s determined that their data was exposed.

Phil Incarnati, president and CEO of McLaren Health Care, said this month’s attack once again illustrates the ever-present threat of cyberattacks to hospitals and health systems.

“Our experience has made clear that cyberattacks against our health care infrastructure are an industrywide problem, and it’s not hyperbole to call health care cybercrime a national security threat,” Incarnati said in a statement after McLaren confirmed the system experienced a ransomware attack. “I’m committed to working with my fellow providers, elected officials, law enforcement and cyber experts to find ways to hold these criminals accountable and prevent their entry into our systems.”

The system says some recovery work will continue. Clinicians were forced to manually chart patient health records over the past few weeks, and adding that information to the electronic health record system is likely going to take several weeks, the system said.

McLaren’s emergency departments are all open and are accepting all patients. The health system is advising patients they can schedule primary and specialty care appointments and imaging appointments as well.

Nationwide, there were 341 breaches of health data reported to the U.S. Department of Health & Human Services in the first six months of the year.

• Read more: The 10 largest health data breaches of the first half of 2024

The Ascension health system, which operates more than 100 hospitals and clinics, including some in Michigan, also experienced a cyberattack this spring. Ascension said the attack affected patient care for weeks, with some hospitals diverting ambulances and patients seeing longer waits at clinics. It took several weeks to restore electronic health records at some facilities.

Hospitals and health systems nationwide experienced serious problems from the ransomware attack of Change Healthcare, a subsidiary of UnitedHealth Group. Change Healthcare handles business functions for a wide array of providers, and the disruption of services took a financial toll on almost all of the hospitals and medical groups in the country. UnitedHealth has said many Americans are likely to be affected.

Cyberattacks on health systems are more expensive than any other sector, and that’s been the case for more than a decade, according to a report released last month by IBM. The average cyberattack in healthcare cost organizations more than $9.7 million.

Healthcare leaders have been asking Congress to offer hospitals more help in protecting against cyberattacks.