McLaren Health Care, a major nonprofit health system based in Michigan, has confirmed that a ransomware attack last summer led to the compromise of sensitive data belonging to over 743,000 patients.

The attack targeted both McLaren’s core operations and its Karmanos Cancer Institute. It is the second significant cybersecurity incident the organization has faced in the past two years.

This breach exposed a wide range of personal information such as Social Security numbers, driver’s license details, medical records, and health insurance data. All of this information could potentially be exploited for fraud or identity theft.

Although McLaren was able to restore its IT systems ahead of its initial timeline by the end of August 2024, the intricacy of the forensic investigation led to delays in notifying affected individuals.

The full review of compromised files was not completed until May 2025.

Only after this process did McLaren begin mailing individual notifications and offering credit monitoring and identity protection services to those impacted.

Why It Matters: This incident serves as a clear reminder of the vulnerability healthcare providers face from cybercriminals. Attacks like this can disrupt care, delay critical treatments, and damage public trust in medical institutions. With hospitals and clinics relying more heavily on digital systems, strengthening cybersecurity protections has become essential to ensure both patient safety and operational stability.

• Scale and Impact: The breach affected 743,131 individuals, compromising highly sensitive data such as names, Social Security numbers, driver’s license numbers, medical information, and insurance details. Both hospital and outpatient services across McLaren’s 13 hospitals and specialty care centers were impacted, though emergency services remained operational during the incident.

• Timeline of the Attack: The attackers gained access to McLaren’s systems between July 17 and August 3, 2024, with suspicious activity detected on August 5. Systems like electronic health records and diagnostic tools were restored by late August. However, analyzing the compromised files took until May 2025, delaying formal breach notifications.

• Perpetrators and Ransom Speculation: While McLaren’s official letters didn’t name the group responsible, evidence points to the INC Ransom gang, known for double-extortion tactics. The fact that McLaren has not appeared on the group’s data leak site has fueled speculation that a ransom was paid to prevent data publication, though McLaren has not confirmed this.

• Organizational and Legal Fallout: McLaren has offered 12 months of credit monitoring and identity theft protection to affected individuals. The breach has drawn scrutiny from regulators and triggered multiple class action lawsuits. McLaren’s leadership publicly praised staff for their dedication during the crisis but acknowledged the ongoing recovery efforts required to fully secure patient records and systems.

• Part of a Broader Threat Landscape: The McLaren breach is part of a larger pattern of cyberattacks on healthcare providers across the country. Mainline Health Systems in Arkansas faced a similar breach that exposed the personal data of more than 100,000 individuals including Social Security numbers and medical records. Both organizations struggled with lengthy investigations before notifying patients.

Go Deeper -> Data of more than 740,000 stolen in ransomware attack on Michigan hospital network – The Record

McLaren Health Care Notifies Almost 750,000 Individuals About August 2024 Ransomware Attack – The HIPAA Journal

Over 100K exposed in Arkansas health system hack – Cyber News