McLaren Health Facing Multiple Class Action Lawsuits over Ransomware Attack
Multiple lawsuits have been filed against McLaren Health over its August 2023 ransomware attack. The 15-hospital Michigan health system was attacked by an affiliate of the ALPHV/BlackCat ransomware group in August 2023, who claims to have exfiltrated the sensitive data of approximately 2.5 million patients. McLaren Health was added to the group’s data leak site on September 29, 2023, and threats were issued to publish the stolen data if the ransom is not paid. The threat actor also boasted about having an active backdoor into McLaren Health’s computer systems. The HIPAA Journal has confirmed that the group’s data leak site included patient names, patient ID numbers, genders, dates of birth, ages, addresses, Social Security numbers, race, language spoken, religion, pregnancy status, physician names, and other sensitive data.
The attack prompted Michigan Attorney General Dana Nessel to issue a warning to current and former patients advising them to secure their medical and financial accounts and monitor for any attempted misuse of their personal information. “This attack shows, once again, how susceptible our information infrastructure may be,” said AG Nessel. “Organizations that handle our most personal data have a responsibility to implement safety measures that can withstand cyber-attacks and ensure that a patient’s private health information remains private.”
McLaren Health issued a statement confirming that the attack has been contained and that no evidence has been found to indicate the ransomware group can still access its network. The attack is still being investigated and the health system has not yet confirmed how many patients have been affected; however, has started issuing notification letters.
Multiple lawsuits have already been filed in response to the attack and more are expected to be filed in the coming days. The Grand Blanc, Michigan-based health system is alleged to have failed to implement appropriate and necessary safeguards to ensure the privacy of patient data, breaching its duty to its patients and its obligations under the FTC Act, Gramm-Leach-Bliley Act, Health Insurance Portability and Accountability Act (HIPAA), Michigan Consumer Protection Act, and Michigan data breach notification law.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The lawsuits claim the plaintiffs – Cheryl Drugich, Kati Komorosky, & Jamie McSkulin – face an increased and imminent risk of fraud and identity theft and have had to spend time and money monitoring their financial accounts and protecting themselves against misuse of their sensitive information, which it is claimed is now in the hands of cybercriminals and will likely be released on the dark web, putting them at risk of future phishing attacks, data intrusion, and other illegal schemes based on their private data.
The lawsuits allege negligence, negligence per se, breach of fiduciary duty, breach of implied contract, unjust enrichment, and violations of the Michigan Consumer Protection Act and Michigan data breach notification law and seek declaratory relief, monetary damages, statutory damages, punitive damages, equitable relief, and injunctive relief, including an order from the court requiring McLaren Health to implement a raft of security measures to prevent further data breaches.
The plaintiffs and class members are represented by attorneys from the law firms Chestnut Cambronne PA, Markovits Stock & Demarco, LLC, The Miller Law Firm, Milberg Coleman Bryson Phillips Grossman PLLC, Shub & Johns LLC, and Ahdoot & Wolfson, OC.
