Two Ransomware Attacks on McLaren Health Care Result in $14M Settlement

McLaren Health Care, a Michigan-based non-profit health system, has agreed to settle a consolidated class action lawsuit stemming from two separate ransomware attacks that occurred a year apart in 2023 and 2024. The Grand Blanc, MI-based integrated healthcare delivery system operates 12 hospitals and dozens of other healthcare facilities in Michigan, Indiana, and Ohio, in addition to a health insurance plan.

The first attack occurred in August 2023, when the ALPHV/Blackcat ransomware group breached its network and used ransomware to encrypt files. The group claimed to have exfiltrated around 6 terabytes of data before encrypting files. McLaren Health Care’s investigation determined that approximately 2.1 million individuals had data compromised in the incident, with the ransomware group having access to its network from July 28, 2023, to Aug. 23, 2023. The following year, the Inc Ransom ransomware group breached its network, stole files, and encrypted data. McLaren Health Care determined that approximately 743,000 individuals had data compromised in the incident. Inc Ransom had access to its network from July 17, 2024, to Aug. 3, 2024.

Multiple class action lawsuits were filed in response to each of the attacks. The lawsuits had overlapping claims, and to conserve resources, the lawsuits were consolidated into a single lawsuit, which was filed in the 7th Judicial Circuit Court in Genesee County, Michigan. The plaintiffs alleged that reasonable and appropriate cybersecurity measures had not been implemented in compliance with federal and state laws. The consolidated lawsuit asserted claims of negligence, breach of implied contract, breach of express contract, and just enrichment. McLaren Health Care denies all claims and contentions in the lawsuit and maintains there was no wrongdoing; however, the health system agreed to settle the litigation.

McLaren Health Care will pay $14 million to settle the lawsuit, which will coverattorneys’ fees and expenses, settlement administration costs, notification costs, and service awards. Attorneys’ fees will be one-third of the settlement fund, plus up to $50,000 for expenses. Class members may claim up to $5,000 as reimbursement for documented losses due to either data breach. In addition, a claim may be submitted for a cash payment. The cash payments will be paid pro rata after all costs have been deducted and claims have been paid. Class members will also benefit from 12 months of complimentary credit monitoring and identity theft protection services.

The settlement has received initial approval from the court, and the final fairness hearing has been scheduled for April 21, 2026.

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/