Nonprofit health system hit by two data breaches settles class-action lawsuit for $14M
A Michigan-based health system that fell victim to two significant data breaches in as many years has settled a class-action lawsuit with representatives of victims for $14 million.
The first breach on McLaren Health Care—a health system with 15 hospitals, a health plan, multiple surgery centers and other clinics—happened in August 2023, with the second breach happening almost exactly a week later in August 2024.
In both instances, it suffered a ransomware attack where hackers were able to access patient data and lock down systems. The first data breach was more widespread, impacting 2.5 million people, mainly patients and employees.
That same cyberattack would result in 6 TB of data being posted for sale on the dark web, with infamous cybercrime syndicate ALPHV/BlackCat claiming credit. In a press release, the Michigan Attorney General’s office said the group threatened to sell the trove unless a ransom was paid.
The health system has never made a statement confirming whether it paid a ransom, and it’s assumed the data trove was posted for sale.
The second incident, reported on Aug. 7, 2024, shut down McLaren’s network and it resorted to paper backups to maintain patient continuity. There were care disruptions that occurred during that intrusion—also confirmed to be a ransomware attack—that ended up seeing 740,000 records, including protected health information, exposed to hackers.
By Aug. 28, 2024, McLaren confirmed it was back to near full operations, after purging its systems of ransomware and updating its electronic health records to incorporate the patient backups. It was later revealed that another notorious cybercrime gang, Inc Ransom, was responsible for the attack.
Once again, it’s unclear if the nonprofit integrated healthcare system paid a ransom, or what happened to the data taken offsite, which has value on the black market for the purposes of identity theft, future data breaches and other nefarious acts.
Lawsuits related to both incidents were consolidated in court, with plaintiffs accusing the health system of acting negligently with regard to its cyber defenses and failing to secure sensitive data on patients.
McLaren sent the HIPAA-required notifications to all known victims after both incidents were investigated with the help of cybersecurity experts. It also said it bolstered its security to prevent future attacks.
The exact nature of how hackers gained access was not revealed in either incident. Compromised data included information such as names, addresses, phone numbers, details on dates of services, diagnoses, insurance information and more.
McLaren never admitted to wrongdoing, as is customary in most civil litigation settlements. However, it did agree to meet certain benchmarks for future cybersecurity to better detect attacks and protect data in the future.
Cash payment for class members
Per the terms of the agreement between attorneys representing plaintiffs and McLaren, anyone who was a victim of the data breach and signs on as a claimant is eligible for a cash payment, in an amount to be determined after legal fees and other payouts are settled.
Those who can show they were financially or personally damaged by the data breaches are eligible to recoup losses of up to $5,000.
Additionally, as is required by federal law, all those impacted are eligible for a year of credit monitoring services.
A hearing is scheduled on April 21, 2026 for a judge to finalize the terms of the agreement.
HealthExec reached out to McLaren for comment.
Chad is an award-winning writer and editor with over 15 years of experience working in media. He has a decade-long professional background in healthcare, working as a writer and in public relations.