Elekta Data Breach Impacting Over 64K McLaren Patients’ PHI

July 23, 2021 - McLaren Health Care Corporation is notifying over 64,000 patients about a data breach impacting their protected health information (PHI.)  

McLaren, which is Michigan’s “largest network of cancer centers and providers,” according to its website, reported the health data breach to the US Department of Health and Human Services Office for Civil Rights on July 16.  

The breach, part of the larger Elekta data breach, is impacting a total of 64,600 individuals, according to the Office for Civil Rights. 

“McLaren Health Care Corporation (McLaren) received notice of a security incident involving the network servers of its vendor Elekta AB. The event occurred between April 2 and April 20, 2021. Elekta provided information specific to McLaren patient information on May 17, 2021,” an “Elekta Data Security Incident Notice” posted to the McLaren website states.  

“Elekta provides technology services, including data storage, to the following MHCC facilities: Macomb, Northern Michigan, Gaylord, Cheboygan, West Branch, Lapeer, Central and Bay City. This incident did not involve access to McLaren’s systems, network, or electronic health records,” the notice states. “It occurred on Elekta’s systems.” 

The data breach involves the “full name, Social Security number, address, date of birth, height, weight, medical diagnosis, medical treatment details, appointment confirmations, and other information that McLaren Health Care Corporation may collect as a part of providing health care services. No financial account, credit card, or debit card information was involved in this incident,” the statement notes.  

“Based on the nature of the incident and its investigation, Elekta has no reason to believe that any of the data involved was or will be misused or will be made available publicly,” it states. “However, as a precaution, we are mailing letters to patients whose information may have been involved in this incident and are providing individuals with free credit monitoring and identity theft protection services.  

McLaren is encouraging patients to review their health insurance and health provider statements and to call the dedicated call center with any further questions or concerns.  

The call center can be reached at 1-866-281-0520, Monday through Friday, from 9:00 am to 11:00 pm EST, and on weekends from 11:00 am to 8:00 pm EST.  

“We regret that this incident occurred and are committed to protecting the security and privacy of patient information,” McLaren stated in the notice. “Enhancements, including rigorous data security protocols required of all our third-party vendors, to protect patient information and defend against the threat of cyber threats are regularly evaluated and implemented where appropriate.” 

Elekta’s April 2021 data breach impacted several US-based healthcare facilities, including Renown Health in Nevada, Yale New Haven Health, Lifespan, Southcoast Health, and the Cancer Centers of Southwest Oklahoma.     

“Elekta’s first-generation cloud-based storage system has experienced a data security incident,” Elekta said in a statement on its website. “A subset of customers in North America are affected.”   

Elekta is working with cyber experts and law enforcement during its investigation, the company statement reads.    

It launched the investigation to “understand what happened, mitigate any possible harm, and offer our customers a reliable solution that delivers on our commitment to ensure that cancer patients have access to precise and personalized radiotherapy treatments. We recognize the impact this might have on customers and their patients and are working tirelessly to enable customers to continue providing secure patient care.”