The cyber threat landscape for healthcare continues to deteriorate, with the Data Breach Notification of the 2024 attack on McLaren Health Care serving as yet another stark reminder that healthcare organisations remain prime targets for cybercriminals. This incident, affecting over 740,000 patients across Michigan's hospital network, demonstrates that the vulnerabilities we highlighted in our previous blog on healthcare cybersecurity are not only persisting but intensifying.
In August 2024, McLaren Health Care—which operates 13 hospitals across Michigan alongside numerous medical centres and specialty care facilities—fell victim to a sophisticated ransomware attack that would ultimately impact 743,131 patients. The attack, attributed to the INC ransomware gang, represents everything cybersecurity experts have been warning about regarding healthcare vulnerabilities.
The attackers gained initial access on 17 July 2024, but the breach wasn't discovered until 5 August—providing nearly three weeks for the cybercriminals to move laterally through McLaren's network and exfiltrate sensitive data. The stolen information included Social Security numbers, health insurance details, names, driver's licence numbers, and comprehensive medical records.
What makes this attack particularly concerning is that it represents McLaren's second major cyber incident in just 12 months. The healthcare giant had previously been targeted by the now-defunct AlphV ransomware gang, affecting 2.1 million people. This pattern of repeat targeting demonstrates how cybercriminals view healthcare organisations as reliable, profitable targets.
The McLaren attack forced the entire network into downtime procedures, with cascading effects across patient care. Emergency departments remained operational, but numerous surgeries and procedures were cancelled or postponed. The inability to access electronic health records, medical imaging systems, and other critical digital infrastructure created dangerous gaps in patient care continuity.
This operational disruption highlights a critical vulnerability that sets healthcare apart from other industries: the immediate life-and-death consequences of system downtime. Unlike retail or manufacturing sectors, healthcare organisations cannot afford extended outages, creating enormous pressure to restore systems quickly—often making ransom payments seem like the expedient solution.
The McLaren incident mirrors troubling trends we've observed across the Asia-Pacific region. Australia's healthcare sector reported the highest number of data breaches to the Office of the Australian Information Commissioner in 2023, accounting for 20% of all notifiable incidents. Recent high-profile attacks have included:
Epworth Healthcare in Victoria, where the Global Group ransomware gang allegedly stole 40GB of data including patient records, medical imaging files, and internal payroll information.
St Vincent's Health Australia, the country's largest non-profit healthcare provider, experienced a cyberattack affecting its network of hospitals and aged care facilities across multiple states.
MediSecure, the e-prescription service provider, suffered a "large-scale ransomware data breach incident" that prompted a whole-of-government response from Australia's National Cyber Security Coordinator.
The cybersecurity crisis extends beyond hospitals to Australia's aged care sector, which has emerged as a particularly attractive target for cybercriminals. The Australian Cyber Security Centre has identified aged care as being at "high risk of accidental data breach" and a "serious target for cyber-attack."
Recent devastating attacks on aged care providers demonstrate the scope of this threat:
UnitingCare Queensland suffered a major ransomware attack by the REvil/Sodinokibi gang that took nearly two months to resolve, forcing hospitals and aged care facilities to operate on manual, paper-based systems. The attack disrupted operations across multiple Brisbane hospitals and dozens of aged care facilities.
Respect (formerly Masonic Care Tasmania) had over 313,000 files totalling 198GB allegedly stolen by the ThreeAM threat actor, including passports, credit reports, medical certificates, and comprehensive personal details of elderly residents.
TPG Aged Care in Western Australia was targeted by the LockBit ransomware gang, with 65GB of sensitive data allegedly stolen from the provider that serves as "one of the largest veterans home care service providers in Perth."
The aged care sector faces unique vulnerabilities: many of the 1,800+ aged care organisations across Australia are smaller businesses or charities that focus primarily on patient care rather than cybersecurity infrastructure. They often operate legacy systems without regular security updates, making them easy targets for sophisticated cyber threats.
New Zealand has faced similar challenges, most notably the 2021 Waikato District Health Board ransomware attack that brought down IT systems serving over 425,000 people. The attack forced cancer patients to be flown to Australia for treatment and demonstrated how cyber incidents can have cross-border healthcare implications.
The factors that make healthcare attractive to cybercriminals haven't diminished—they've intensified:
High-Value Data Repositories: Healthcare organisations maintain comprehensive personal information that commands premium prices on criminal marketplaces. Medical records, insurance details, and financial information create a treasure trove for identity theft and fraud.
Operational Urgency: The critical nature of healthcare services means organisations face enormous pressure to restore systems quickly, making them more likely to consider ransom payments as a business continuity measure.
Legacy Infrastructure: Many healthcare organisations continue operating on outdated systems that lack modern security controls. A 2024 report found that 73% of global health systems still use medical equipment running legacy operating systems.
Expanding Attack Surface: The proliferation of Internet of Medical Things (IoMT) devices, telehealth platforms, and cloud-based services has dramatically increased potential entry points for attackers. In aged care specifically, the growing expectation for connectivity among residents—with 2.7 million Australians aged 65+ using the internet daily—creates additional vulnerabilities through social engineering attacks targeting elderly residents.
Resource Constraints: Healthcare organisations often prioritise patient care spending over cybersecurity investments, leaving security teams under-resourced and understaffed. This challenge is particularly acute in aged care, where smaller providers and not-for-profit organisations may lack dedicated IT security personnel entirely.
Willingness to Pay: Recent data shows that 84% of Australian businesses targeted by ransomware chose to pay the ransom in 2024, with average payments reaching $1.4 million. Healthcare and aged care providers face enormous pressure to restore systems quickly due to the life-critical nature of their services, making them more likely to capitulate to ransom demands.
The Australian Government has recognised the escalating threat to healthcare cybersecurity through several recent initiatives:
However, regulatory frameworks alone cannot address the fundamental vulnerabilities that make healthcare such an attractive target.
The McLaren attack and similar incidents across Australia and New Zealand demonstrate that healthcare organisations can no longer treat cybersecurity as an optional investment. Building cyber resilience requires a comprehensive approach that addresses both technical vulnerabilities and organisational preparedness.
Risk Assessment and Vulnerability Management: Regular, comprehensive cybersecurity risk assessments help organisations identify and prioritise their most critical vulnerabilities before attackers exploit them.
Incident Response Planning: Healthcare organisations need robust incident response plans that account for the unique operational requirements of patient care during a cyber incident.
Staff Training and Awareness: Healthcare workers need ongoing cybersecurity training tailored to the specific threats they face, including sophisticated phishing campaigns targeting medical professionals.
Network Segmentation and Zero Trust: Implementing network segmentation and zero-trust architectures can limit the lateral movement that allowed attackers to spend weeks moving through McLaren's systems undetected.
Business Continuity Planning: Healthcare organisations need continuity plans that specifically address ransomware scenarios and the potential for extended system outages.
Managed Security Services: For many healthcare and aged care providers facing resource constraints, partnering with a Managed Security Service Provider (MSSP) offers a practical solution to maintaining robust cybersecurity without the overhead of building internal security teams. This approach provides 24/7 monitoring, threat detection, incident response capabilities, and access to cybersecurity expertise that would otherwise be prohibitively expensive for smaller organisations to maintain in-house.
The pattern is clear: healthcare and aged care cybersecurity threats are escalating in frequency, sophistication, and impact. Organisations that wait for the next headline-grabbing attack to take action are gambling with patient safety and organisational survival.
The aged care sector faces particular urgency, with McGrathNicol's 2023 Ransomware Survey revealing that 56% of Australian businesses experienced ransomware attacks, with healthcare and aged care among the most targeted sectors. The sector's reliance on legacy systems, limited cybersecurity budgets, and the comprehensive personal data of vulnerable elderly residents makes immediate action critical.
At Insicon Cyber, we specialise in helping healthcare and aged care organisations understand and address their unique cybersecurity risks. Our comprehensive risk assessment approach identifies vulnerabilities specific to healthcare environments—from legacy medical devices and aged care management systems to complex clinical workflows and resident data protection requirements.
For organisations facing resource constraints—particularly smaller aged care providers and regional healthcare facilities—our Managed Security Services offer a cost-effective solution to achieving enterprise-level cybersecurity without the overhead of building internal security teams. Our services include:
This managed approach allows healthcare and aged care providers to focus on what they do best—caring for patients and residents—while ensuring their digital infrastructure remains secure and resilient.
Don't wait for your organisation to become the next headline. Contact Insicon Cyber today to schedule a comprehensive cybersecurity risk assessment and develop a blueprint for protecting your patients, residents, sensitive data, and your organisation's future.
The question isn't whether your healthcare or aged care organisation will be targeted—it's whether you'll be prepared when it happens.
Ready to strengthen your cybersecurity posture? Contact Insicon Cyber to discuss how our healthcare-focused cybersecurity expertise can help protect your organisation from the growing threat landscape.