McLaren Health Care has agreed to pay $14 million to settle class action litigation related to two ransomware attacks that occurred in 2023 and 2024 resulting in data breaches.
Nature Of the Incidents
McLaren Health Care encountered two ransomware attacks that affected 2.8 million individuals. A $14 million settlement fund was created to resolve the litigation connected to two ransomware attacks . The ALPHV/BlackCat ransomware group conducted the first attack, accessing the McLaren Health Care’s computer system between July 28, 2023 and August 23, 2023. The data breach affected 2,103,881 individuals. The Inc Ransom ransomware group conducted the second attack, accessing its system from July 17, 2024 to August 3, 2024 and affecting 743,131 individuals’ PHI. The incidents resulted in the compromise of the following data: names, Social Security numbers, payment for health care, details about past, present, or future mental, physical, or behavioral health or disorders, and the provision of health care.
Upon discovery of the first attack on August 22, 2023, McLaren Health Care sent breach notification letters to the affected individuals on November 9, 2023. In response to the first data breach, the integrated healthcare delivery system faced at least eight class action lawsuits, which were combined in the United States District Court for the Eastern District of Michigan. After the 2024 ransomware attack and data breach, McLaren Health Care faced two more class action lawsuits. The lawsuit Cindy Womack-Devereaux, et al. v. McLaren Health Care Corporation filed in the Michigan 7th Judicial Circuit Court for Genesee County is now the consolidated lawsuits.
Scope of Litigation
The lawsuit claimed that McLaren Health Care failed to implement sufficient security measures, follow industry requirements for data security, the HIPAA compliance rules, or FTC guidelines. After the first attack, McLaren Health Care did not apply the needed security upgrades to prevent another ransomware attack.
The lawsuit claimed invasion of privacy, theft of their personal data, lost or reduced value of their personal data, loss of benefit of the bargain, lost time and opportunity costs, loss of employment prospects, and an ongoing risk of misuse of their personal data, since it is still unencrypted and freely accessible on the dark web. The lawsuit stated claims of unjust enrichment, negligence, breach of express contract, and breach of implied contract. McLaren Health Care denies all claims and allegations in the lawsuit.
Legal Resolution
The parties agreed upon an appropriate settlement after mediation, which required a $14 million fund to resolve the class action litigation. The terms of the settlement state that class members could file a claim for single-bureau credit monitoring and identity theft protection services for one year and also one or two cash payments. A cash payment up to $5,000 per class member may be claimed as repayment for documented, unreimbursed expenses incurred because of the data breach.
Class members could also file a claim for a pro rata cash payment. This payment will be paid after deducting the amount for attorneys’ fees and expenses, service awards for the lead plaintiffs, settlement management costs, claims for reimbursement of losses and credit monitoring costs. McLaren Health Care likewise decided to implement remedial procedures and improve security.
The last day to file for objection and exclusion is March 16, 2026. The last day to submit a claim is April 29, 2026. The final approval hearing will be on April 21, 2026.
