Dec. 13—BENZONIA — A healthcare provider with outpatient clinics in eight northern Michigan counties is the latest medical entity to fall victim to a data breach.

Crystal Lake Clinic President Dr. Jacob Flynn confirmed the outpatient care provider experienced a "cyber security incident" and is working with third-party investigators to assess the damage.

"The investigation is in its early stages and ongoing," Flynn said in a statement. "Protecting our patients' information is our highest priority and we continue to take significant measures to protect the information entrusted to us."

Details of the incident were posted last month on a website that announces such incidents, DataBreaches.net, run since 2009 by "Dissent Doe," an anonymous healthcare professional and privacy advocate.

The HIPAA Journal, an academic publication covering patient data compliance issues, also in November, reported the incident on its website.

These reports state a small amount of of Crystal Lake Clinic data was already released online, although hackers reportedly claimed to have 120 gigabytes of data, including names, Social Security numbers and health insurance information.

That amount of data — 120 gigabytes — is equal to the storage required for about 30,000 photographs or 2 million one-page text documents, according to data storage estimates and, while significant, is not as large as a hospital breach reported in October.

McLaren Health Care, a Grand Blanc-based provider operating McLaren Northern Michigan in Petoskey and 12 other Michigan hospitals, emailed 2.2 million patients and former patients, acknowledging a cyber incident, later confirmed to be a ransomware attack, in which hackers may have released patient data on the dark web.

McLaren, in the email, states that while there was no evidence their data was sold to identity thieves, the provider offered to pay for a year of identity protection services.

Also in October, Munson Healthcare officials began investigating a cyber incident at Otsego Memorial Hospital in Gaylord that prompted a shutdown of the hospital's computer system.

Munson Healthcare acquired Otsego Memorial in 2018 and a Munson spokesperson said the shutdown was limited to Gaylord only, and officials had no reason to believe patient data was compromised.

Federal information on security breaches where patient data was compromised shows cyberattacks on hospitals are increasing, in both frequency and sophistication.

Brandon Smith, a cybersecurity intelligence analyst with the Michigan State Police, said one reason healthcare providers like hospitals and clinics are a big target for hackers is because the industry is technology dependent.

"There is not a lack of expertise, or resources — healthcare has a large attack vector due to the amount of technology used and cyber threat actors can send phishing emails 24/7/365," Smith said.

An entire organization can be compromised by one employee clicking on a phishing link once and entering their credentials, Smith said.

Phishing is when someone with ulterior motives sends an email pretending to be from a reputable person or company, to lure unsuspecting recipients into providing personal information like passwords, credit card numbers or bank information.

Unnamed staff at Northern Lakes Community Mental Health Authority in August provided banking information to a hacker, resulting in a theft of $283,000 in Medicaid funds, under investigation by officials with the U.S. Dept. of Homeland Security.

In 2022 and 2023, the U.S. Department of Health and Human Services recorded 29 cybersecurity breaches of Michigan healthcare providers, potentially impacting more than 4 million patients.

One scenario is for a hacker or hacker group to install ransomware on a hospital or a health clinic's computers, locking up records until the hospital pays a ransom, usually in a currency called bitcoin, which is difficult — if not impossible — for law enforcement to trace.

If the provider doesn't pay by the deadline, there's a danger the hackers will release patient data on the dark web — a marketplace for illegal activity.

Crystal Lake Clinics did not report receiving — or paying — a ransom note, although specifics of cybersecurity incidents are rarely shared with the public as healthcare providers say they are bound by the Health Insurance Portability and Accountability Act — known as HIPAA — not to share protected patient information.

MSP's Smith said ransomware is so prevalent because of how easy it is for a cyber threat actor to compromise an organization.

"Another reason is victims do not have up-to-date offline backups, so when they are compromised, they pay the ransom demand to avoid rebuilding the affected network," Smith said.

"If we keep paying the ransoms, we will perpetuate the issue that is ransomware," Smith said.

An FBI spokesperson with the Detroit office previously said she couldn't confirm or deny the agency's involvement with either the Munson cyber incident or the McLaren ransomware attack.

Anyone who believes their data was part of a breach, however, should file a complaint with the FBI's Internet Crime Complaint Center.