Cyberattacks on Major Healthcare Systems: Ascension Health, Corewell Health, and McLaren Health
In recent years, healthcare systems have become prime targets for cyberattacks, with significant incidents affecting major providers like Ascension Health, Corewell Health, and McLaren Health. These attacks have disrupted operations, compromised patient data, and highlighted vulnerabilities in the healthcare sector's cybersecurity infrastructure.
Ascension Health's 2024 Ransomware Attack
In May 2024, Ascension Health faced a severe ransomware attack that crippled its network systems. The attack led to widespread operational disruptions, including delays in lab results and medication errors, as providers were locked out of critical systems. Ascension engaged cybersecurity experts to investigate and remediate the situation, but the attack necessitated the temporary shutdown of electronic health records, forcing staff to rely on manual documentation processes.
The impact on patient care was significant, with some hospitals diverting ambulances and postponing non-emergency procedures. Although Ascension has restored its electronic health records, full system restoration is ongoing. The breach was reported to the Office for Civil Rights, but the extent of data compromise remains unclear.
Corewell Health's 2023 Data Breaches
Corewell Health experienced two major data breaches in 2023, exposing sensitive information of over one million patients. The first breach involved Welltok, Inc., while the second, in December, involved HealthEC, LLC, a vendor providing population health management services. The breaches compromised names, addresses, Social Security numbers, and medical records.
In response, impacted individuals were notified, and HealthEC offered credit monitoring and identity protection services. These incidents underscored vulnerabilities in third-party vendor systems and prompted calls for stronger legislative protections for patient data.
McLaren Health's Cyberattacks in 2023 and 2024
McLaren Health suffered a ransomware attack in August 2023, impacting 2.5 million patients and disrupting critical treatments, including cancer therapies. A subsequent cyberattack in 2024 further affected their systems and operations. The 2023 attack was linked to the BlackCat/AlphV ransomware group, which claimed to have stolen terabytes of data.
These attacks led to delays in medical procedures and forced McLaren to operate under downtime procedures, affecting patient care and scheduling. The health system is working with cybersecurity experts to mitigate the impacts and has advised patients to bring physical copies of medical information to appointments.
In 2023 and 2024, the healthcare industry experienced a significant increase in cyberattacks, particularly ransomware attacks, which have had a profound impact on healthcare operations and data security.
2023 Statistics
- Ransomware Attacks: In 2023, ransomware attacks against the healthcare sector nearly doubled compared to 2022. There were 389 reported ransomware incidents in the healthcare sector worldwide, with 258 of these occurring in the United States alone, marking a 128% increase from the previous year[1][5].
- Impact on Hospitals: At least 141 hospitals were directly affected by ransomware attacks, disrupting IT systems and patient data access. This led to emergency departments redirecting ambulances and delays in medical procedures[6].
- Data Breaches: Over 134 million individuals were affected by healthcare data breaches in 2023, marking a 141% increase from 2022. Hacking-related breaches accounted for 79% of the major breaches reported[4][7].
- Financial Impact: The healthcare sector faced nearly $60 million in adjusted losses due to ransomware attacks, with the average cost of a data breach reaching $11 million[3][6].
2024 Statistics
- Data Breaches: In the first half of 2024, more than 31 million Americans were affected by the ten largest health data breaches. This number is expected to grow as further details emerge about significant attacks on Change Healthcare and Ascension Health[2].
- Ransomware Trends: The healthcare sector remains a prime target for ransomware attacks due to its reliance on digital records and the critical nature of its operations. The sector's vulnerabilities are exacerbated by the extensive use of internet-connected systems and the large amounts of sensitive data they handle[1][2].
These statistics underscore the urgent need for healthcare organizations to strengthen their cybersecurity measures to protect against increasingly sophisticated cyber threats. The healthcare sector's critical role in society makes it an attractive target for cybercriminals, necessitating robust defenses to safeguard patient data and ensure the continuity of care.
In 2023, the healthcare sector was heavily targeted by ransomware attacks, with several ransomware variants being particularly prevalent. The most common ransomware variants that targeted healthcare organizations included:
- LockBit: This ransomware group was one of the most active in targeting the healthcare sector. LockBit operates as a ransomware-as-a-service (RaaS) provider, allowing affiliates to use its ransomware to conduct attacks. It was responsible for a significant portion of ransomware incidents in 2023, both globally and in the United States[1][2].
- ALPHV/BlackCat: Another major player in the ransomware landscape, ALPHV, also known as BlackCat, was frequently used in attacks against healthcare institutions. This group is known for its sophisticated operations and has been involved in numerous high-profile attacks[2][6].
- Cl0p: The Cl0p ransomware group was also highly active in 2023, targeting healthcare systems among other sectors. This group is known for its aggressive tactics, including data theft and extortion[1][6].
- BianLian: This variant was noted for its impact on the healthcare sector, although it was less prevalent than LockBit and ALPHV[1].
- Black Basta: Another ransomware group that targeted healthcare organizations, Black Basta was involved in several incidents throughout the year[2].
These ransomware variants employed various sophisticated tactics, including exploiting vulnerabilities, phishing, and using stolen credentials to gain access to healthcare networks. The attacks often resulted in significant disruptions to healthcare services, highlighting the critical need for improved cybersecurity measures in the sector.
In 2023, ransomware attacks showed notable differences in their impact across various regions, with certain areas experiencing higher rates and specific challenges.
Regional Differences in Ransomware Attacks in 2023
- United States: The U.S. remained the most targeted country for ransomware attacks, accounting for a significant portion of global incidents. In the third quarter of 2023 alone, the U.S. experienced 575 ransomware cases, representing 51% of all attacks worldwide during that period[1]. The U.S. saw a 75% increase in ransomware events between the first and second halves of the year, highlighting its vulnerability and attractiveness to cybercriminals[5].
- United Kingdom: The UK was the second most targeted country, with 77 ransomware cases in the third quarter of 2023. This is significantly lower than the U.S., but it still underscores the UK's position as a frequent target for ransomware groups[1].
- Canada: Canada ranked third in terms of ransomware attacks, with 48 cases in the third quarter of 2023. Like the UK, Canada experienced fewer attacks compared to the U.S., but it remained a notable target for cybercriminals[1].
- Asia-Pacific (APAC): The APAC region had the highest ratio of organizations targeted by ransomware, with 11% of organizations affected in 2023. This suggests a growing focus on this region by ransomware groups, possibly due to the increasing digitalization and economic growth in APAC countries[2].
- Europe: European countries, including Germany and France, also reported significant ransomware activity, although specific numbers were not as high as in the U.S. The continent faced challenges related to data protection regulations and the need for cross-border cooperation in tackling cyber threats[5].
These regional differences highlight how ransomware groups may prioritize targets based on factors such as economic size, digital infrastructure, and perceived vulnerabilities. The high incidence of attacks in the U.S. can be attributed to its large economy and the presence of numerous high-value targets. Meanwhile, the growing focus on APAC indicates a shift in ransomware strategies to exploit emerging markets and less fortified digital environments.
In 2023, the healthcare sector faced numerous ransomware attacks, with several common initial infection vectors identified as primary methods for these breaches. The most prevalent initial infection vectors for ransomware attacks in healthcare included:
- Phishing Emails: Phishing remained one of the most successful and common methods for initial access. These attacks often involved malicious links or attachments in emails designed to trick recipients into providing credentials or downloading malware[1][2]. Phishing relies heavily on social engineering tactics, exploiting human vulnerabilities such as curiosity, fear, or urgency[1].
- Exploited Software Vulnerabilities: Attackers frequently exploited unpatched systems and zero-day vulnerabilities to gain unauthorized access to healthcare networks. This method allowed ransomware to be delivered by taking advantage of weaknesses in software that were either known but not yet patched or entirely unknown at the time of the attack[1][3].
- Remote Desktop Protocol (RDP) Attacks: RDP attacks involved brute force techniques to guess credentials or exploit weak passwords. If RDP services were exposed to the internet without adequate security measures, they became prime targets for attackers[1].
- Compromised Credentials: The use of stolen or compromised credentials was another significant initial access vector. These credentials could be obtained through phishing, data breaches, or purchased on the dark web, allowing attackers to infiltrate healthcare systems[3].
- Drive-By Downloads and Malvertising: These methods involved tricking users into downloading malware through malicious websites or advertisements without their knowledge[1].
These vectors highlight the importance of maintaining robust cybersecurity measures, such as regular software updates, employee training on phishing awareness, and the implementation of strong authentication protocols, to mitigate the risk of ransomware attacks in the healthcare sector.
Conclusion
The cyberattacks on Ascension Health, Corewell Health, and McLaren Health highlight the growing threat to the healthcare sector, which is increasingly targeted due to the sensitive nature of its data and the critical need for operational continuity. These incidents underscore the urgent need for enhanced cybersecurity measures to protect against such attacks and ensure patient safety. As healthcare systems continue to digitize their operations, robust cybersecurity strategies will be essential to safeguard patient data and maintain trust in healthcare services.
- Office of the Director of National Intelligence. "Ransomware Attacks Surge in 2023." [PDF document].
- Chief Healthcare Executive. "The Top 10 Health Data Breaches of the First Half of 2024."
- Axios. "Health Care Ransomware Attacks."
- Bradley. "Rise in Healthcare Data Breaches: The Impact for Healthcare Providers in 2024."
- U.S. Department of Health and Human Services. "Ransomware in Healthcare."
- HIPAA Journal. "2023 Healthcare Ransomware Attacks."
- Sangfor. "List of Top Ransomware Attacks in 2023."
- Trustwave. "Healthcare Threat Landscape 2022-2023: Common TTPs Used by Top Ransomware Groups Targeting the Healthcare Sector."
- BlackFog. "The Top 10 Ransomware Groups of 2023."
- Cyberint. "Ransomware Trends and Statistics 2023 Report."
- Check Point Research. "2023: The Year of Mega Ransomware Attacks with Unprecedented Impact on Global Organizations."
- Statista. "Businesses Ransomware Attack Rate."
- Property Casualty 360. "Ransomware Returns with a Vengeance; U.S. Hardest Hit Region."
- Kaspersky. "Ransomware Attacks in 2023."
- CISA. "Cybersecurity Advisories."
- Sophos. "The State of Ransomware in Healthcare 2023."
- Google Cloud. "Ransomware Attacks Surge, Rely on Public Legitimate Tools."