McLaren Health Care Settles Class Action Lawsuit Following Major Data Breaches
McLaren Health Care, headquartered in Grand Blanc, Michigan, has reached a $14 million settlement to address a class action lawsuit arising from two significant data breaches that potentially exposed patient information. The organization operates a network that includes 12 hospitals, ambulatory surgery centers, a health plan, and various other healthcare services.
The first breach was identified in August 2023 when McLaren noticed suspicious activities in its IT systems. The Michigan Attorney General’s office reported that the cybercriminal group known as ALPHV, or BlackCat, claimed responsibility, asserting that they had stolen six terabytes of sensitive data. This incident affected approximately 2.5 million individuals, highlighting the extensive impact that such breaches can have on healthcare organizations and their patients alike.
Approximately one year later, McLaren suffered a second cyberattack. This attack was attributed to the Inc Ransom cyber threat actors and compromised the data of over 740,000 individuals. Following the breach, McLaren swiftly enacted its downtime procedures to maintain operational functionality across its facilities, reflecting an attempt to mitigate disruption during a critical period.
In response to the breaches, affected individuals consolidated their grievances into a single lawsuit filed in the 7th Judicial Circuit Court in Genesee County. Plaintiffs alleged that McLaren failed to safeguard their personal information and did not implement adequate measures to prevent foreseeable data breaches.
While McLaren did not admit to any wrongdoing, the decision to agree to a settlement was likely motivated by an interest in avoiding prolonged litigation. Under the terms of the agreement, class members may receive compensation of up to $5,000 for documented losses resulting from the breaches. They also have the capacity to file claims for pro-rata cash payments, which will be distributed after the settlement costs have been allocated.
The settlement further includes provisions for one year of credit monitoring and identity theft protection services for affected individuals. Additionally, McLaren has committed to enhancing its cybersecurity framework as part of the settlement, reflecting a broader recognition of the critical importance of data protection in the healthcare sector.
The final approval hearing for this settlement is scheduled for April 21, 2026. As this situation unfolds, it highlights the pressing need for healthcare organizations to strengthen their cybersecurity defenses against increasingly sophisticated cyber threats.
From a cybersecurity perspective, the events surrounding these attacks could involve multiple tactics outlined in the MITRE ATT&CK framework. The initial breaches likely involved tactics such as initial access through exploitation, followed by techniques for persistence and data exfiltration. Understanding these tactics can provide significant insights into preventing future breaches, allowing organizations to better safeguard sensitive information.
As healthcare institutions increasingly digitize their operations, the emphasis on robust cybersecurity measures becomes paramount. The McLaren case serves as a crucial reminder of the vulnerabilities faced within the sector and the need for vigilant risk management strategies.