McLaren Health to pay $14M over back-to-back ransomware attacks

McLaren Health Care has agreed to pay $14 million to resolve consolidated class-action lawsuits from two ransomware attacks that exposed the personal and health data of millions of patients and employees.

What happened

According to BankInfo Security, McLaren Health Care has agreed to pay $14 million to settle class-action lawsuits arising from two separate ransomware attacks that compromised the personal and health data of millions of patients and employees.

Under the settlement, individuals impacted by the breaches may file claims for reimbursement of documented losses and receive credit monitoring and identity protection services. McLaren has not admitted wrongdoing but agreed to the settlement to avoid prolonged litigation. A final approval hearing is scheduled for April 2026, and claim deadlines have been set for affected individuals.

The backstory

The $14 million settlement comes after the organization was the target of two major ransomware attacks for consecutive years. The first breach, discovered in 2023, was attributed to the ALPHV/BlackCat ransomware group, which claimed to have exfiltrated large volumes of sensitive data. The compromised information reportedly included patients’ names, Social Security numbers, health insurance details, and medical records. The incident disrupted operations across McLaren’s network of hospitals and clinics and triggered mandatory breach notifications to affected individuals.

While investigations and remediation efforts were still underway, McLaren experienced a second cyberattack in mid-2024. This attack was linked to another ransomware group known as Inc Ransom, which further exposed patient and employee data. The sequential nature of the incidents prompted multiple class action lawsuits alleging that McLaren failed to implement adequate safeguards and did not sufficiently strengthen its systems after the first breach.

Go deeper: McLaren Health Care reports new data breach affecting over 743,000 people

In the know

ALPHV/BlackCat is a ransomware-as-a-service (RaaS) operation that has targeted organizations worldwide, including healthcare providers and critical infrastructure entities. In a joint cybersecurity advisory, the Cybersecurity and Infrastructure Security Agency (CISA), FBI, and the Department of Health and Human Services (HHS) note that “Since mid-December 2023, of the nearly 70 leaked victims, the healthcare sector has been the most commonly victimized. This is likely in response to the ALPHV Blackcat administrator’s post encouraging its affiliates to target hospitals after operational action against the group and its infrastructure in early December 2023.” The group uses “advanced social engineering techniques and open source research on a company to gain initial access,” often combining phishing campaigns with stolen credentials or exploited vulnerabilities to infiltrate networks. Once inside, affiliates move laterally across systems, escalate privileges, and exfiltrate sensitive data to “extort victims without deploying ransomware.”

Inc Ransomware, on the other hand, “operates in the double extortion method, where victim data is stolen and leaked via a data leak site if the ransom demand is not paid.” According to Blackpoint Cyber, the group combines “the traditional ransomware extortion method (encryption) with exfiltration of victim’s sensitive data; the group threatens to leak the data via a data leak site if the ransom demand is not paid.” The attackers gain initial access via social engineering tactics and “valid credentials to target external remote services.” In 2025, the group increased its activities, listing over 300 victims. Similar to ALPHV/BlackCaat, the group most frequently targets the healthcare industry.

What was said

According to a statement by McLaren, “A proposed $14 million Settlement arising out of two data breaches has been reached with McLaren Health Care Corp. (“McLaren”). Between July 28, 2023 and August 23, 2023, and then again between July 17, 2024 and August 3, 2024, unauthorized third parties may have gained access to Class Members’ Personally Identifying Information and Protected Health Information (collectively, “Private Information”).”

The bottom line

According to Paubox’s 2025 healthcare email security report, ransomware has become a critical threat to the healthcare sector, characterized by a massive increase in frequency and operational impact. According to the report, ransomware attacks on healthcare organizations have surged by 264% since 2018. The McLaren case shows how repeat attacks can compound risk, extending from operational risks to legal and financial risks.

See also: HIPAA Compliant Email: The Definitive Guide (2026 Update)

FAQS

What should affected individuals do?

Individuals who received notification of the breaches should review settlement details carefully, monitor financial and medical statements, and consider filing a claim if eligible.

What is the purpose of a class action lawsuit?

A class action allows a large group of affected individuals to pursue legal claims collectively rather than filing separate lawsuits.

Could McLaren face regulatory penalties beyond this settlement?

Healthcare data breaches can trigger investigations by regulators such as the U.S. Department of Health and Human Services’ Office for Civil Rights, which enforces HIPAA compliance.