McLaren Health Got Hit by Ransomware Twice. Now It's Paying $14 Million.

Two Attacks, One Year Apart

Michigan based McLaren Health Care, one of the largest health systems in the state, was hit by ransomware twice in consecutive years. The first attack, between July 28 and August 23, 2023, was carried out by the Russian speaking ransomware gang Alphv/BlackCat. The attackers exfiltrated more than six terabytes of patient and employee data, including names, Social Security numbers, health insurance information, birthdates, and medical records.

The second attack came less than a year later, between July 17 and August 3, 2024, this time by a different ransomware group called Inc Ransom. Combined, the two breaches affected approximately 2.5 million patients and employees.

What the Settlement Covers

The $14 million class action settlement received preliminary court approval on December 15, 2025. The claim deadline is April 29, 2026, with a final approval hearing scheduled for April 21, 2026. Class members who submit documented proof of out of pocket losses related to either breach can claim up to $5,000 in reimbursement.

But for most affected individuals, the payout will be far less. With 2.5 million potential claimants and $14 million in the fund, the maximum per person works out to $5.60 if everyone files. In practice, class action participation rates are typically low, so individual payouts will likely be higher, but still modest compared to the scope of the data exposure.

Why Healthcare Keeps Getting Hit

Healthcare is the most targeted sector for ransomware attacks, and the pattern is consistent. Hospitals and health systems run complex IT environments with legacy systems, shared credentials, and large volumes of sensitive data that attackers can monetize through extortion or sale on dark web markets.

McLaren's case illustrates a common failure mode: the organization was breached by one group, presumably patched the vulnerability, and was then breached by a different group through what appears to be a different vector. This suggests systemic security weaknesses rather than a single exploitable flaw. When the first breach does not lead to comprehensive security improvements, the second one is almost inevitable.

The Real Cost Is Not the Settlement

For McLaren, $14 million is a significant expense but manageable for a health system of its size. The real cost falls on the 2.5 million people whose Social Security numbers, medical histories, and insurance details are now in the hands of cybercriminals. That data does not expire. It can be used for identity theft, insurance fraud, and targeted phishing campaigns for years after the breach.

As part of the settlement, McLaren agreed to enhance its data security practices for at least two years. The specific measures are undisclosed. Whether they will be enough to prevent a third breach remains to be seen.

Healthcare data breaches are not just IT incidents. They create lasting exposure for patients whose most sensitive personal information, including diagnoses, treatment histories, and genetic data, becomes permanently available to anyone willing to pay for it.