{
	"id": "ce73c0a8-bfef-49d0-acbd-d97c3e859630",
	"created_at": "2026-04-06T00:20:00.332209Z",
	"updated_at": "2026-04-10T03:29:39.99019Z",
	"deleted_at": null,
	"sha1_hash": "44a0bdb71cbb72af4723e9bf05d8de3a0ef33b7e",
	"title": "Large Michigan healthcare provider confirms ransomware attack",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 183917,
	"plain_text": "Large Michigan healthcare provider confirms ransomware attack\r\nBy Jonathan Greig\r\nPublished: 2023-09-29 · Archived: 2026-04-05 17:38:11 UTC\r\nOne of the largest healthcare systems in Michigan confirmed that it is dealing with a ransomware attack after a\r\nnotorious hacker gang boasted about the incident.\r\nA spokesperson for McLaren HealthCare said the organization recently detected suspicious activity on its\r\ncomputer network and immediately began an investigation.\r\n“Based on our investigation, we have determined that we experienced a ransomware event. We are investigating\r\nreports that some of our data may be available on the dark web and will notify individuals whose information was\r\nimpacted, if any, as soon as possible,” a spokesperson said.\r\nMcLaren operates 13 hospitals across Michigan, as well as other medical services such as infusion centers, cancer\r\ncenters, primary and specialty care offices and a clinical laboratory network. The company has more than 28,000\r\nemployees and also has a wholly owned medical malpractice insurance company.\r\nEarlier this month, the company reported outages affecting billing and electronic health record systems. According\r\nto the Detroit Free Press, McLaren had to shut down the computer network at 14 different facilities — a situation\r\nthat got so bad that employees had to communicate through their personal phones.\r\nThe spokesperson said McLaren has “retained leading global cybersecurity specialists to assist in our\r\ninvestigation, and we have been in touch with law enforcement. We have also taken measures to further strengthen\r\nour cybersecurity posture with a focus on securing our systems and limiting disruption to our patients and the\r\ncommunities we serve.”\r\nThe spokesperson added that systems “remain operational” but did not respond to requests for comment about\r\nwhether billing and record systems had been restored to functionality. They did not say whether a ransom would\r\nbe paid.\r\nThe Black Cat/AlphV ransomware gang took credit for the attack in a post on its leak site early on Friday\r\nmorning.\r\nThe gang — which initially did not name the company before hours later adding McLaren’s name — claimed to\r\nhave stolen 6 TB of data, allegedly including the personal data of millions as well as videos of the hospitals’ work.\r\nhttps://therecord.media/mclaren-healthcare-ransomware-attack-michigan\r\nPage 1 of 4\n\nImage: McLaren\r\nHealthCare\r\nMichigan’s Emergency Management \u0026 Homeland Security department as well as the governor’s office did not\r\nrespond to requests for comment about whether expertise was being provided to the company.\r\nBlackCat has made a point of going after healthcare institutions, causing outrage earlier this year after attempting\r\nto extort a healthcare network in Pennsylvania by publishing photographs of breast cancer patients. In January it\r\ntook credit for an attack on technology giant NextGen Healthcare.\r\nThe gang caused international headlines two weeks ago with its attack on MGM Resorts, which devastated several\r\nmajor casinos in Las Vegas and left slot machines, ATMs and more paralyzed.\r\nThe attack on McLaren comes one month after another major U.S. healthcare network was attacked by\r\nransomware actors.\r\nHospitals in four states were forced to cancel appointments, divert ambulances and use paper records. The attack\r\nmay contribute to the closure of at least two hospitals in Connecticut.\r\nThe issue of ransomware attacks on hospitals reached Congress this week, with House members holding a hearing\r\non the crisis and taking testimony from several people who have faced off against hackers.\r\nStephen Leffler, president of one of Vermont’s largest healthcare providers, told Congress of his experience\r\ndealing with a 2020 ransomware attack, warning that despite their array of security tools, they were still hit.\r\nhttps://therecord.media/mclaren-healthcare-ransomware-attack-michigan\r\nPage 2 of 4\n\n“This really is an arms race. As we have all seen in the news over the past few 3 years, the cybercriminals and\r\nactors are getting increasingly sophisticated, and so this important work to protect our systems will never be fully\r\nfinished,” he said.\r\nALPHV #ransomware group has added an unknown healthcare organization based out of the US state\r\nof Michigan to their victim list. They claims to have access to 6TB of organizations data. #USA #alphv\r\n#blackcat #darkweb #databreach #cyberattack pic.twitter.com/jizDcaqOuN\r\n— FalconFeedsio (@FalconFeedsio) September 29, 2023\r\nNo previous article\r\nNo new articles\r\nJonathan Greig\r\nhttps://therecord.media/mclaren-healthcare-ransomware-attack-michigan\r\nPage 3 of 4\n\nis a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since\r\n2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia.\r\nHe previously covered cybersecurity at ZDNet and TechRepublic.\r\nSource: https://therecord.media/mclaren-healthcare-ransomware-attack-michigan\r\nhttps://therecord.media/mclaren-healthcare-ransomware-attack-michigan\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://therecord.media/mclaren-healthcare-ransomware-attack-michigan"
	],
	"report_names": [
		"mclaren-healthcare-ransomware-attack-michigan"
	],
	"threat_actors": [
		{
			"id": "86ab9be8-ce67-4866-9f66-1df471e9d251",
			"created_at": "2024-05-29T02:00:03.942487Z",
			"updated_at": "2026-04-10T02:00:03.641939Z",
			"deleted_at": null,
			"main_name": "Alpha Spider",
			"aliases": [
				"ALPHV Ransomware Group"
			],
			"source_name": "MISPGALAXY:Alpha Spider",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b",
			"created_at": "2022-10-25T16:07:23.303713Z",
			"updated_at": "2026-04-10T02:00:04.530417Z",
			"deleted_at": null,
			"main_name": "ALPHV",
			"aliases": [
				"ALPHV",
				"ALPHVM",
				"Ambitious Scorpius",
				"BlackCat Gang",
				"UNC4466"
			],
			"source_name": "ETDA:ALPHV",
			"tools": [
				"ALPHV",
				"ALPHVM",
				"BlackCat",
				"GO Simple Tunnel",
				"GOST",
				"Impacket",
				"LaZagne",
				"MEGAsync",
				"Mimikatz",
				"Munchkin",
				"Noberus",
				"PsExec",
				"Remcom",
				"RemoteCommandExecution",
				"WebBrowserPassView"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434800,
	"ts_updated_at": 1775791779,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/44a0bdb71cbb72af4723e9bf05d8de3a0ef33b7e.pdf",
		"text": "https://archive.orkl.eu/44a0bdb71cbb72af4723e9bf05d8de3a0ef33b7e.txt",
		"img": "https://archive.orkl.eu/44a0bdb71cbb72af4723e9bf05d8de3a0ef33b7e.jpg"
	}
}