25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

McLaren Health Care Pays $14 Million to Settle Litigation Over Ransomware Attacks

Posted By on Feb 10, 2026

McLaren Health Care has agreed to pay $14 million to settle class action litigation stemming from two ransomware attacks in 2023 and 2024 that affected more than 2.8 million patients and employees.

McLaren Health Care is a Grand Rapids, Michigan-based integrated healthcare delivery system that operates 12 hospitals and many healthcare facilities in Michigan, Indiana, and Ohio, and also a health plan. Over the space of a year, McLaren Health Care experienced two ransomware attacks. The first attack was conducted by the ALPHV/BlackCat ransomware group, which had access to its computer network from July 28, 2023, to August 23, 2023. The second attack was conducted by the Inc Ransom ransomware group, which accessed its network between July 17, 2024, and August 3, 2024.

The ALPHV/BlackCat ransomware attack affected 2,103,881 individuals, and the Inc Ransom ransomware attack affected 743,131 individuals. Data compromised in the attacks included names, Social Security numbers, information about past, present, or future physical, mental, or behavioral health or conditions, the provision of health care, and payment for health care.

The first attack was detected on August 22, 2023, and notification letters were mailed to the affected individuals on November 9, 2023. At least eight class action lawsuits were filed in response to the first data breach, which were consolidated in the United States District Court for the Eastern District of Michigan. Following the 2024 ransomware attack and data breach, a further two class action lawsuits were filed. The lawsuits were consolidated in the Michigan 7th Judicial Circuit Court for Genesee County – Cindy Womack-Devereaux, et al. v. McLaren Health Care Corporation.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The lawsuit alleged that McLaren Health Care had inadequate security measures, did not comply with industry standards for data security, FTC guidelines, or the HIPAA Rules, resulting in the first attack. Then, McLaren Health Care failed to learn from the ransomware attack and did not make the necessary security upgrades to prevent further incidents, resulting in a second ransomware attack.

The plaintiffs alleged that they suffered concrete injuries as a result of the attacks, including invasion of privacy, theft of their private information, lost or diminished value of their private information, lost time and opportunity costs, loss of benefit of the bargain, loss of employment opportunities, and a continued risk of their private information being misused, as it remains unencrypted and available for other parties to access via the dark web. The lawsuit asserted claims of negligence, breach of implied contract, breach of express contract, and unjust enrichment. McLaren Health Care disagrees with all claims and contentions in the lawsuit.

Following months of dialogue about a potential settlement, the plaintiffs issued a settlement demand, and an appropriate settlement was ultimately agreed upon following mediation. Under the terms of the settlement, class members may submit a claim for one year of single-bureau credit monitoring and identity theft protection services plus one or two cash payments. The first cash payment may be claimed for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member. The losses must have been incurred on or after July 28, 2023, and be more likely than not traceable to either of the data breaches.

Regardless of whether a claim is submitted for reimbursement of losses, class members may submit a claim for a pro rata cash payment, which will be paid after attorneys’ fees and expenses, settlement administration costs, service awards for the lead plaintiffs, credit monitoring costs, and claims for reimbursement of losses have been deducted. McLaren Health Care has also agreed to take certain remedial measures and enhance security.

The deadline for exclusion and objection is March 16, 2026. The deadline for submitting a claim is April 29, 2026, and the final approval hearing has been scheduled for April 21, 2026.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist