Healthcare
,
Industry Specific
,
Litigation
2023 and 2024 Ransomware Breaches Affected More Than 2.5M
Michigan-based McLaren Health Care agreed to pay $14 million to settle consolidated class action litigation involving two ransomware attacks – allegedly by Alphv/BlackCat in 2023 and by Inc Ransom in 2024 – that affected about 2.5 million patients and employees.
See Also: The Healthcare CISO’s Guide to Medical IoT Security
The consolidated litigation filed against McLaren in a Michigan state court allegednegligence, breach of implied contract, breach of express contract and unjust enrichment.
McLaren, headquartered in Grand Blanc, Mich., describes itself as a $7.3 billion, integrated health care delivery system with 12 hospitals, and dozens of other medical facilities across Michigan, Indiana and Ohio. McLaren also operates a health insurance plan.
A final court hearing for approval of the settlement is set for April 21. Under the preliminary settlement, class members can submit claims of up to $5,000 for documented unreimbursed losses and consequential expenses that are “more than likely” tied to the breaches.
Class members can also file a claim for a pro rata cash payment that will calculated based on what is remaining in the settlement fund after documented losses, administrative expenses and other costs are paid.
Class counsel is seeking one-third of the settlement fund, or about $4.6 million, for fees – plus $50,000 separately for litigation expenses.
Under the settlement, McLaren agreed, at its own expense, to enhance its data security practices. That includes implementing specific but undisclosed measures for a period of at least two years.
The litigation alleged that between July 28, 2023 and Aug. 23, 2023, and again a year later, between July 17, 2024 and Aug. 3, 2024, cybercriminals exfiltrated from McLaren’s network the sensitive personal information of about 2.5 million current and former patients.
In the first incident, Russian-speaking ransomware gang Alphv/BlackCat claimed to steal more 6 terabytes of McLaren patient and employee data, including names, Social Security numbers, health insurance information, birthdates and medical information such as diagnosis, treatment, physician information and medications (see: Group Claims it Stole 2.5 Million Patients’ Data in Attack).
McLaren reported to federal regulators in October 2023 that the ransomware attack affected nearly 2.2 million patients (see: McLaren Health Care Hack Affected Millions, Lawsuits Pile Up).
McLaren suffered another similar cybersecurity incident again in 2024.
“McLaren failed to make the necessary security upgrades to ensure the protection of its systems and of the private information of plaintiffs and the class going forward,” the complaint alleged. “Accordingly, due to these failures, McLaren experienced another data security incident nearly a year later.”
At the time of the 2024 incident, McLaren clinical staff members told Information Security Media Group that the second incident, allegedly by Inc Ransom, was more disruptive to patient care delivery than the 2023 ransomware attack by Alphv/BlackCat (see: McLaren Health Hit with Ransomware for Second Time in a Year).
McLaren has not publicly stated whether it paid a ransom demand in either of the incidents.
McLaren reported the 2024 attack to the U.S. Department of Health and Human Services in June 2025 as hacking incident affecting the protected health information of more than 743,000 individuals (see: McLaren Health Says 743,000 Affected by 2024 Ransomware Hack).
The attacks on McLaren prompted Michigan state officials to issue public warnings urging consumers to be proactive in monitoring their credit and other accounts (see: Officials Warn of Risks As McLaren Recovers from Attack).
McLaren did not immediately respond to ISMG’s request for comment on the settlement.