McLaren Health agrees to $14M settlement over two data breaches

McLaren Health Care agreed to a $14 million settlement to resolve a class action lawsuit stemming from two data breaches that potentially compromised patient information. McLaren, based in Grand Blanc, Michigan, comprises 12 hospitals, ambulatory surgery centers, a health plan and other services.  

The first breach occurred in August 2023, when McLaren first detected suspicious activity within its IT systems. According to a press release published by the Michigan attorney general's office, the cyberthreat group ALPHV/BlackCat claimed that it stole six terabytes of McLaren's data. The breach impacted 2.5 million individuals.  

One year later, McLaren experienced a second cyberattack, which was claimed by Inc Ransom cyberthreat actors. This breach impacted more than 740,000 individuals. According to the initial notice, McLaren immediately activated its downtime procedures and kept its facilities largely operational. 

Individuals impacted by the cyberattacks consolidated their complaints into a single lawsuit filed in the 7th Judicial Circuit Court in Genesee County. The plaintiffs alleged that McLaren failed to protect their information from the two breaches and failed to take the appropriate actions to prevent foreseeable data breaches. 

McLaren admitted no wrongdoing but agreed to a settlement to avoid further litigation. Under the settlement terms, class members will be eligible to receive up to $5,000 for documented losses related to the breaches. Class members can also submit claims for a pro rata cash payment, to be paid out after other settlement costs have been distributed. 

Class members can also claim one year of credit monitoring and identity theft protection services. As part of the settlement agreement, McLaren agreed to enhance its security program.  

The final approval hearing is scheduled for April 21, 2026. 

Jill Hughes has covered healthcare cybersecurity and privacy news since 2021.