McLaren Health Care Corporation (MHCC) has agreed to a $14 million settlement to compensate individuals affected by two separate data breaches that exposed millions of people’s personal health information nationally. The settlement provides eligible class members with up to $5,000 in cash payments, one year of credit monitoring and identity theft protection services, and reimbursement for documented losses directly tied to the breach. This settlement resolves a class action lawsuit over unauthorized access to sensitive medical records, including names, Social Security numbers, dates of birth, and insurance information that could be used for identity theft or fraudulent medical billing. The two breaches occurred at different times, creating an extended window of vulnerability for MHCC patients and individuals who interacted with the healthcare system.
The first breach happened between July 28 and August 23, 2023, followed by a second breach from July 17 to August 3, 2024. Both incidents went undetected for significant periods before discovery, meaning some individuals may have been at risk without knowing for months. For example, a patient who had their records exposed in the July 2023 breach may not have discovered fraudulent medical charges or credit account openings until weeks or months later, after the damage was already done. If you received a data breach notice from McLaren Health Care or believe you were affected by either incident, you have until April 29, 2026 to file a claim and secure your share of the settlement funds.
Table of Contents
- What Happened in the MHCC Data Breaches?
- Settlement Amount and What Class Members Can Receive
- Who Is Eligible to Claim and How to File
- Critical Deadlines: When You Must File Your Claim
- Understanding Credit Monitoring and Identity Theft Protection Services
- Calculating Your Potential Settlement Payment
- Lessons from the MHCC Breaches and What Comes Next
- Conclusion
What Happened in the MHCC Data Breaches?
The two data breaches affecting McLaren Health Care Corporation exposed information from millions of patients nationally. The first breach, discovered in July through August 2023, compromised personal health information stored in MHCC’s systems. The second breach, occurring in July through August 2024, represented a second significant security failure at the same organization within just over a year. These were not minor incidents affecting a handful of individuals—the breaches had a broad national scope, suggesting systemic security vulnerabilities within the healthcare organization’s data protection infrastructure.
Data breaches in healthcare settings are particularly damaging because medical records contain some of the most sensitive personal information available. Unlike a compromised credit card number that can be cancelled and replaced, a Social Security number or health history that enters the wrong hands can lead to years of problems. Victims have reported instances of fraudulent medical services billed to their insurance, identity theft using stolen Social Security numbers, and the difficulty of correcting false medical records that could affect future healthcare decisions. MHCC’s failure to implement adequate security measures to prevent two separate breaches in less than a year raises questions about whether sufficient safeguards were ever in place.
Settlement Amount and What Class Members Can Receive
The $14 million settlement fund will be distributed among eligible class members, with each claimant eligible to receive up to $5,000 in cash compensation. The settlement also includes one year of complimentary credit monitoring and identity theft protection services, which can help detect and prevent fraudulent use of stolen personal information. Beyond the cash and monitoring, eligible claimants can seek reimbursement for documented losses they’ve incurred as a result of the data breach, up to the $5,000 maximum per person. However, it’s important to understand that the actual amount each claimant receives depends on how many valid claims are submitted.
If few people file claims, individual payouts may approach the $5,000 maximum per person. If a large number of class members submit claims, the settlement fund will be divided among more people, reducing individual awards proportionally. For example, if the total approved claims amount to $10 million, and 2 million people file legitimate claims, each person might receive around $5. Conversely, if only 100,000 people file, payments could be substantially higher. This is a significant limitation of class action settlements—while the total fund size is fixed, individual payouts are highly unpredictable and depend entirely on participation rates.
Who Is Eligible to Claim and How to File
To be eligible for the MHCC settlement, you must have had personal information exposed in either the July-August 2023 or July-August 2024 data breach affecting McLaren health Care Corporation. Class members include anyone who received a data breach notice from MHCC about either incident. If you’re unsure whether you were affected, you can check your records for any MHCC breach notification letters or contact MHCC directly to confirm your information was in their system during the breach periods.
To file a claim, visit the official settlement website at www.MHCCSettlement.com or call 1-844-685-4251. You’ll need to provide proof that you were part of the affected population and details about any losses you’ve suffered as a result of the breach. If you’re claiming reimbursement for documented losses, keep detailed records of expenses such as credit monitoring services you paid for out of pocket, time spent recovering from identity theft, or costs associated with correcting fraudulent accounts or medical records. Many people underestimate the actual harm from healthcare data breaches—beyond credit monitoring, victims often face billing disputes with insurance companies, hours of phone calls with creditors, and stress navigating the aftermath of compromised medical records.
Critical Deadlines: When You Must File Your Claim
The most important date to remember is April 29, 2026, which is the absolute deadline for submitting a claim to receive settlement compensation. This deadline is firm—claims submitted after this date will not be accepted, regardless of extenuating circumstances. Given that today’s date is April 9, 2026, you have only 20 days remaining to file your claim. If you’ve been waiting, procrastinating, or simply didn’t realize the deadline was approaching, now is the time to act immediately. Before the claim deadline, there are other important dates to be aware of.
The objection and exclusion deadline was March 16, 2026, which has already passed. This deadline allowed class members to formally object to the settlement terms or exclude themselves from the class action lawsuit. The final approval hearing is scheduled for April 21, 2026, which is when the court will finalize approval of the settlement. Even if the final hearing hasn’t occurred yet, you should still file your claim before April 29 to ensure your compensation is processed. Waiting until the last few days of April creates risk if the settlement website experiences technical problems or if your claim requires additional verification and documentation.
Understanding Credit Monitoring and Identity Theft Protection Services
The settlement includes one year of credit monitoring and identity theft protection services at no cost to eligible claimants. This is a valuable benefit on its own, separate from the cash compensation and reimbursement provisions. Credit monitoring services typically scan credit bureaus for unauthorized accounts opened in your name, alert you to suspicious changes to your credit file, and provide regular credit reports. Identity theft protection often goes further, including monitoring of the dark web for your personal information, stolen identity recovery assistance, and sometimes insurance against identity theft losses.
However, one year of monitoring services has a significant limitation—it covers only the 12-month period following the breach discovery and settlement. After the monitoring period ends, you’re responsible for your own credit protection going forward. Given that healthcare data, unlike a credit card, can be exploited indefinitely, one year may not fully protect against long-term identity theft risks. Consider what happens if your stolen Social Security number is used to fraudulently obtain medical services two years after the breach—the monitoring services from this settlement will have long since expired. Some security experts recommend setting up your own credit monitoring or fraud alerts with the major credit bureaus after the settlement services end, just to maintain continuous protection.
Calculating Your Potential Settlement Payment
To estimate what you might receive from this settlement, you need to think about two components: the guaranteed credit monitoring and identity theft protection services, and the cash compensation which depends on participation rates. The cash compensation calculation requires you to document specific losses you suffered directly from the breach. Eligible losses might include fees you paid for credit monitoring services you purchased yourself before the settlement, time and expenses spent addressing fraudulent accounts or medical charges, or documented financial losses from identity theft that used the compromised data.
For example, suppose you’re a class member who paid $200 for three years of credit monitoring when you discovered the breach, received fraudulent medical services billed at $1,500 to your insurance (which affected your copays and rates), and spent 20 hours on the phone with creditors and insurers resolving issues. You could potentially claim $1,700 in documented losses, which would be reimbursed from the settlement fund, up to the $5,000 maximum. Additionally, you’d receive one year of free credit monitoring services valued anywhere from $100 to $300 depending on the provider, plus identity theft protection. If 500,000 people file claims totaling $6 million, your $1,700 reimbursement request would be approved in full because it’s less than the $5,000 cap and the total claims are less than the $14 million fund.
Lessons from the MHCC Breaches and What Comes Next
The two MHCC data breaches highlight a persistent problem in healthcare: the gap between security requirements and security reality. Despite HIPAA regulations requiring healthcare organizations to implement robust security safeguards, breaches continue occurring at major healthcare providers. The fact that MHCC experienced two breaches within approximately 13 months suggests either that initial security measures were inadequate, that the same vulnerability wasn’t fixed after the first breach, or that the organization failed to apply lessons learned from the initial incident. For patients, this underscores the reality that you can’t completely protect yourself against data breaches at organizations you have no control over—you can only monitor for fraud after the fact.
Looking forward, this settlement may encourage other healthcare systems to invest more seriously in cybersecurity infrastructure and incident response protocols. However, healthcare data breaches are unlikely to disappear entirely. The best protection is remaining vigilant about monitoring your financial accounts and credit reports, not just during the settlement’s one-year monitoring period, but indefinitely. Consider placing a credit freeze with the three major credit bureaus (Equifax, Experian, and TransUnion) to prevent anyone from opening new accounts in your name, and regularly review your medical explanation of benefits statements for any treatments or services you didn’t receive.
Conclusion
The MHCC $14 million data breach settlement provides concrete compensation and services to individuals affected by breaches in 2023 and 2024 that exposed millions of people’s protected health information nationally. Eligible class members can receive up to $5,000 in cash, one year of credit monitoring and identity theft protection, and reimbursement for documented losses. The settlement acknowledges that McLaren Health Care failed in its responsibility to protect patient data and provides a mechanism for affected individuals to recover some of their losses.
Time is critically important—the April 29, 2026 claim deadline is only 20 days away. To file your claim, visit www.MHCCSettlement.com, call 1-844-685-4251, or send documentation by mail to the settlement administrator. Gather any documentation of losses you’ve suffered, including expenses for credit monitoring services, fraudulent charges, or identity theft recovery costs. Don’t miss this deadline or you’ll forfeit your opportunity to receive compensation from this settlement.