Increasingly common, health care cyberattacks now even target patients with ransom

McLaren Health Care said it shut down the computer network at its 14 Michigan hospitals last week "out of an abundance of caution" after its information technology security team found suspicious activity during routine monitoring.

The outage, an employee and a patient told the Free Press, affected at least the organization's billing systems and electronic medical records, and meant that workers at times had to use personal cellphones to communicate. McLaren, however, would not confirm specifically what systems were affected, whether patients' protected health information was compromised or even when the security threat was first identified.

Headquartered in Grand Blanc, McLaren is just the latest Michigan health system to face a growing threat caused by cyberattacks.

Consumers, though, can be kept in the dark unless private medical data is disclosed, and even then, organizations have 60 days to inform people.

"In recent years, increasingly sophisticated cyberattacks in the health care and public health sectors have posed alarming threats to people in Michigan and across the country," U.S. Sen. Gary Peters, D-Mich., said during a March Homeland Security and Governmental Affairs Committee meeting.

"Cyberattacks on hospitals and other health care providers can cause serious disruptions to their operations and prevent them from effectively providing critical lifesaving care to their patients. Breaches can also lead to the exposure of sensitive personal and medical information of patients and health care personnel."

Each breach can expose the personal data of thousands of people, putting them at risk of identity theft, scams and additional cyberattacks.

Each health care data breach costs millions

The U.S. Department of Health and Human Services reported that data breaches among health care organizations more than doubled from 2019 to 2021. And in 2022, at least 28.5 million health care records were breached.

Trustwave, a Chicago-based cybersecurity company, released a report in July that found nationally, 24% of all cyberattacks in the U.S. in 2022 targeted the health care industry.

"The average cost of a health care data breach in 2023 is about $11 million," said Karl Sigler, senior security research manager at Trustwave.

"It's the highest cost of any industry, about 50% higher than hospitality, retail, etc. And that's because of the complexity of the networks, how data is stored, compliancy issues and penalties and fees and fines that have to be addressed. And outreach to affected customers is something that some industries don't have to do, but health care obviously does."

In addition, the incidents spawn lawsuits. In 2021, Scripps Health paid $3.5 million as part of a settlement to patients affected by a data breach.

The largest ransomware attack in 2022, Trustwave found, involved Illinois-based CommonSpirit Health and compromised the data of more than 623,000 patients in multiple states. The health system said the breach cost more than $150 million, and it, too, was the subject of a class-action lawsuit.

Digital attacks can have deadly real-world impact

Cyberattacks are not just costly, they also can be deadly.

An Alabama woman sued the hospital where she delivered her baby in 2020, alleging that a ransomware attack prevented doctors from properly monitoring her daughter's heart rate, court documents show. Because technology at the hospital wasn't working as it should, she said doctors didn't realize that the umbilical cord was wrapped around her baby's neck, causing brain damage. The child died a few months later.

In September 2020, a woman in Germany suffered an aortic aneurism and was en route to a hospital that had been struck by ransomware attack. The ambulance had to be rerouted to a different hospital, where the woman died.

The Institute for Peace Research and Security Policy at the University of Hamburg called it "the first time that a virtual attack has been publicly connected to the very real loss of life."

"These relentless cyberattacks show that foreign adversaries and cybercriminals will stop at nothing to exploit cybersecurity vulnerabilities, our critical infrastructure and most essential systems," said Peters. "What is most concerning about these attacks is that they don't just compromise personal information. They can actually affect patient health and safety."

A 2021 study from Proofpoint and the Ponemon Institute found that among 641 organizations that provide IT for health care companies, 89% had experienced at least one cyberattack in the last year. Of them:

• 64% said ransomware attacks caused delays in procedures and tests that resulted in poorer outcomes, including an increase in the severity of illness for patients.

• 59% said patients had to stay longer in the hospital as a result of ransomware attacks.

• 24% said ransomware attacks caused an increase in the hospital's mortality rate.

"It's really hard to get direct evidence that any specific attack caused a person to pass away, but the evidence is there. It does occur and there are specific anecdotes," Sigler said.

Reporting attacks

The Michigan Department of Health and Human Services said it does not track cybersecurity breaches at health care organizations in the state; hospitals and health care systems not required to notify MDHHS of cyberattacks.

Health care providers are required, however, to report any breach of protected health information to the U.S. Department of Health and Human Service, as well as the Federal Trade Commission.

When it comes to disclosing to the public that personal health information was compromised, the federal HIPAA (Health Insurance Portability and Accountability Act) Breach Notification Rule offers some protection.

It requires health care providers to disclose within 60 days of when a breach was first discovered details about what types of information were compromised, what steps people should take to protect themselves, what is being done to investigate the breach, as well as contact information.

If the cyberattack involved 500 people or more, “a prominent media outlet” must also be notified within 60 days.

It took until mid-July for Detroit-based Henry Ford Health to notify some patients that an email phishing scheme dating to March allowed hackers to access protected health information.

Henry Ford said it conducted a forensics investigation and didn't determine until May 16 that information such as name, gender, date of birth, age, lab results, procedure type, diagnosis, date of service, telephone number, medical record number and/or internal tracking number "could have been accessed by the bad actor."

Foreign actors do most of the damage

The vast majority of those "bad actors," Sigler said, are from large, organized groups from Eastern Europe, Russia, China, North Korea or Iran.

"It's almost always foreign actors. Occasionally, some domestic actors might get caught up in it," Sigler said. "Those groups are highly organized and they do highly targeted attacks and they tend to be the biggest attacks you see. There's also some Brazilian groups ... which are pretty large."

In January, the University of Michigan Health system was affected by an attack on a third-party vendor from the pro-Russian hacking group KillNet.

The vendor was among several U.S. and foreign medical organizations that were targeted by KillNet on the same day because of national support for Ukraine in the war.

In that attack, several University of Michigan Health websites were intermittently down, but "none of the sites impacted contain patient information, and all patient information is safe," said spokesperson Mary Masson.

Sigler said "almost 98% of the time" cyberattacks on health care organizations are about stealing money.

"Occasionally, you'll see compromises that are about just destroying the target organization, just trying to take them down," he said. "They don't care about the finances. They just want to destroy the data, cripple them. And then we see that in, for instance, the Russian invasion of Ukraine, where their primary goal is destruction."

Ransom threats to patients

Sometimes, these online thieves will first target a health care organization, and then will try to extort more money from the patients whose information they have obtained.

Sigler detailed a devastating example of that type of ransomware attack in Lehigh, Pennsylvania, earlier this year. It was conducted by a criminal ring known as BlackCat, which has been associated with Russia.

"The bad actors exfiltrated the data first and threatened to extort the patients of the health care clinic," Sigler said. "One of the things that health care clinic was responsible for was mammograms for people who potentially had breast cancer."

The cybercriminals "started targeting the patients directly, saying, 'Hey, I have these mammograms of you. And I'm going to leak them because your health care clinic doesn't care to pay the ransom. But if you pay us a ransom, we'll make sure that your records specifically aren't leaked with everybody else's.'

"It's one of the more vicious attacks that I've seen that's been publicly disclosed."

Little is known about what exactly happened last week at McLaren. The health system did not answer questions from the Free Press about whether patients' personal health information was compromised.

It did, however, issue the following statement: "McLaren Health Care can confirm that our clinical and administrative services are operational, and we are continuing to provide health care services.

"Recently, we have been responding to suspicious network activity detected by our IT Security team during routine system monitoring. While we were investigating the activity, we temporarily disconnected our network from the internet out of an abundance of caution. During this time, we continued to provide the exceptional care that our patients and communities count on. Our response to this incident is ongoing, and we don’t want to speculate or share unverified information. We will provide additional information as we have more to share."

Better tracking of cybersecurity threats

Peters and former Sen. Rob Portman, an Ohio Republican, co-authored legislation that was signed into law and requires health care organizations to report cyber and ransomware payments to the federal Cybersecurity and Infrastructure Security Agency.

"This law will help ensure that government is able to better track cybersecurity threats to our critical infrastructure, provide more transparency and situational awareness for our cybersecurity defenses and enable CISA to warn potential victims of ongoing attacks so they know they could be the next target," Peters said.

It's a start, said Scott Dresen, chief information security officer of Corewell Health, Michigan's largest health system, but it's not enough.

"Requirements for interagency sharing of cybersecurity threat intelligence is a productive step forward," Dresen said during testimony before the Senate committee. "We need more ... enhanced collaboration ... including the ability to automate threat intelligence data sharing ... enabling rapid, near real-time automatic ingestion of threat intelligence."

Dresen urged lawmakers to find a way to make cybersecurity technology more affordable and accessible to the entire health care sector and to reduce penalties that health care organizations must pay in the wake of cyberattacks and related data breaches.

"We are in an environment where keeping up with technology to defend against advanced persistent threat is extremely expensive," Dresen said. "Many of these technologies aren't an option for financially disadvantaged health care systems due to cost. ...

"We are at our best and most capable when it comes to caring for our patients and members. That is our expertise. Our adversaries are at their best and most capable when they're attacking us. They are extremely well-funded, extremely talented and highly motivated. Many are nation-state actors or are sponsored and supported by nation-states. We can't beat them alone.

"But together, we can be more effectively protecting this vital critical infrastructure sector."

Contact Kristen Shamus: kshamus@freepress.com. Subscribe to the Free Press.

This article originally appeared on Detroit Free Press: Hospitals don't have to disclose cyberattacks for at least 60 days