McLaren Health Care, one of Michigan’s largest hospital systems, agreed to pay $14 million to settle a class action lawsuit after suffering two separate ransomware attacks in 2023 and 2024 that exposed the personal and medical information of approximately 2.2 million patients. The settlement provides cash reimbursement for out-of-pocket losses and credit monitoring services for affected individuals.
Browse all open class action settlements on OpenClassActions.com.
Status: Settlement Reached — $14 Million
What Happened at McLaren?
McLaren Health Care operates 13 hospitals and numerous outpatient facilities across Michigan, serving hundreds of thousands of patients. In 2023, the health system was hit by a ransomware attack that penetrated its network and compromised sensitive data. Before the organization had fully recovered and fortified its defenses, a second ransomware attack struck in 2024.
The back-to-back breaches were devastating in scope. The attackers gained access to systems containing some of the most sensitive categories of personal information that exist:
- Social Security numbers
- Medical records — including diagnoses, treatment histories, and lab results
- Health insurance information — policy numbers, plan details, and claims data
- Dates of birth
- Contact information — addresses, phone numbers, and email addresses
- Financial information — billing records and payment details in some cases
For patients of a health system, a data breach is especially alarming. Medical information is among the most personal data a person has, and unlike a credit card number that can be changed, your medical history and Social Security number cannot be replaced.
How Many People Were Affected?
McLaren reported that approximately 2.2 million individuals may have had their information exposed across both breaches. This includes current patients, former patients, and in some cases, employees and contractors whose data was stored on the compromised systems.
Not every affected person necessarily had the same types of information exposed. Some may have had only basic contact information compromised, while others had their full medical records and Social Security numbers accessed. The settlement covers anyone whose data was part of either breach.
What Does the Settlement Offer?
The $14 million settlement fund provides several categories of relief:
- Cash reimbursement for documented losses — if you incurred out-of-pocket expenses because of the breach, such as costs related to identity theft, fraudulent charges, or credit monitoring services you purchased on your own, you can submit receipts for reimbursement
- Compensation for time spent — class members can claim a payment for time they spent dealing with the aftermath of the breach, such as placing fraud alerts, monitoring accounts, and disputing unauthorized transactions
- Credit monitoring — the settlement offers free credit monitoring and identity theft protection services for a defined period
- Identity restoration services — if your identity is stolen as a result of the breach, the settlement provides access to specialists who can help you restore your credit and identity
Why Two Breaches in Two Years?
One of the most troubling aspects of the McLaren situation is that the health system suffered a second major breach so soon after the first. Healthcare organizations are frequent targets of ransomware groups because they hold enormous quantities of valuable personal data and because disruptions to hospital operations create urgency that can pressure victims to pay ransoms quickly.
After the first breach in 2023, McLaren was expected to improve its cybersecurity defenses. The fact that attackers were able to penetrate the system again in 2024 raised serious questions about the adequacy of those improvements. The lawsuit alleged that McLaren failed to implement reasonable security measures to protect patient data, including:
- Inadequate network segmentation to contain breaches
- Insufficient encryption of stored patient data
- Failure to deploy modern intrusion detection systems
- Lack of adequate employee cybersecurity training
- Delayed notification to affected patients
What You Should Do to Protect Yourself
If you were a patient at any McLaren Health Care facility and believe your data may have been compromised, take these steps regardless of whether you file a settlement claim:
- Place a fraud alert or credit freeze — contact Equifax, Experian, and TransUnion to place a free fraud alert on your credit file, or freeze your credit entirely to prevent new accounts from being opened in your name
- Monitor your accounts — review your bank statements, credit card statements, and explanation of benefits from your health insurer for any unfamiliar charges or claims
- Watch for medical identity theft — if someone uses your stolen health insurance information to receive medical care, it can corrupt your medical records with incorrect diagnoses and treatments, which could be dangerous to your health
- File a claim — if the settlement claims process is open, submit your claim to receive your share of the settlement fund
- Report suspicious activity — if you notice signs of identity theft, report it to the Federal Trade Commission at IdentityTheft.gov and file a police report
The Bigger Picture: Healthcare Data Breaches
The McLaren breaches are part of a larger trend. Healthcare data breaches have been increasing in both frequency and severity. The healthcare industry holds some of the most valuable data for criminals — Social Security numbers, insurance information, and medical records can be used for identity theft, insurance fraud, and blackmail. Unlike credit card numbers, which can be quickly cancelled, compromised medical and identity data can be exploited for years.
Until healthcare organizations face meaningful financial consequences for failing to protect patient data, the problem is likely to continue. Settlements like this one, while providing some relief to victims, also serve as a signal to the industry that data security failures carry real costs.
Case Details
| Defendant | McLaren Health Care Corporation |
| Allegation | Failure to protect patient data, resulting in two ransomware breaches in 2023 and 2024 |
| Settlement Amount | $14 million |
| People Affected | Approximately 2.2 million patients |
| Data Exposed | SSNs, medical records, insurance info, personal details |
| Status | Settled |
By Steve Levine | Published: February 18, 2026
Legal Disclaimer
This article is for informational purposes only and does not constitute legal advice. OpenClassActions.org is not a law firm and does not represent any party in this litigation. If you believe your personal information was compromised in a data breach, consult with a qualified attorney to understand your legal options. Settlement terms and eligibility requirements may change.