Carespring Health Care Management agreed to resolve a class action lawsuit tied to a 2023 cyberattack.
What happened
Carespring Health Care Management has agreed to settle a class action lawsuit over a data breach, according to the Settlement Agreement, that exposed the sensitive personal and medical information of 77,000 patients and residents in October 2023. The settlement, which got preliminary court approval in December 2025, outlines compensation and protective services for affected individuals, while Carespring denies any wrongdoing.
The backstory
In October 2023, Carespring Health Care Management suffered a cyberattack that exposed the personal and medical information of 76,719 individuals. Threat actors accessed the company’s systems between October 12 and October 30, 2023, compromising names, dates of birth, Social Security numbers, health insurance details, and medical information.
The breach was detected on October 28, 2023, and following a forensic investigation, affected individuals were notified. Although the company stated there was no confirmed evidence of fraud at the time of disclosure, it offered identity monitoring and credit protection services to impacted individuals. Cybercriminal groups later claimed responsibility for the attack on ransomware leak sites.
Go deeper: Carespring Data Breach Exposes Personal and Medical Information of Nearly 77,000 Patients
What was said
In the settlement agreement, the plaintiffs state that they believe “the claims asserted in the Litigation … have merit,” but also recognize “the expense, length of continued litigation, and uncertain outcome” of pursuing the case further. Class Counsel, described as experienced in class action matters, concluded that the agreement is “fair, reasonable, and adequate, and in the best interests of the Settlement Class Members.”
At the same time, Carespring Health Care Management denies any wrongdoing. In the agreement, the company “denies any and all claims and contentions alleged against it.”
Carespring says it entered into the settlement “solely to avoid the burden, expense, and uncertainty of continued litigation,” noting that further proceedings would likely be “protracted and expensive.”
See also: HIPAA Compliant Email: The Definitive Guide (2026 Update)
In other news
McLaren Health Care has agreed to pay $14 million to resolve consolidated class-action lawsuits stemming from two back-to-back ransomware attacks that exposed the personal and health information of millions of patients and employees.
The attacks occurred in consecutive years. The first, discovered in 2023, was attributed to the ransomware group ALPHV/BlackCat, which claimed to have exfiltrated sensitive data including Social Security numbers, insurance details, and medical records. While remediation efforts were ongoing, a second breach in mid-2024 was linked to Inc Ransom, further exposing patient and employee data.
The settlement allows affected individuals to file claims for reimbursement of documented losses and receive credit monitoring and identity protection services. McLaren has not admitted wrongdoing but agreed to settle to avoid prolonged litigation. A final approval hearing is scheduled for April 2026.
Go deeper: McLaren Health to pay $14M over back-to-back ransomware attacks
FAQS
What are common triggers for patient class-action lawsuits?
Plaintiffs may file claims if protected health information (PHI) is improperly accessed or disclosed, or if organizations fail to provide timely breach notifications to affected individuals.
What cybersecurity controls are increasingly scrutinized in litigation?
Courts and plaintiffs often focus on:
- Multi-factor authentication (MFA) implementation
- Network segmentation
- Timely patch management
- Vendor access controls
- Encryption practices
- Incident response preparedness
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
Tshedimoso Makhene
