McLaren Health Care $14M Data Breach Class Action Settlement, Claim Up To $5,000 By April 29, 2026—2.8 Million Patients Affected
If you were a McLaren Health Care patient between July 2023 and August 2024, you can claim up to $5,000 cash plus one year of credit monitoring from the $14 million class action settlement—but you must file by April 29, 2026.
McLaren Health Care Corporation agreed to pay $14 million to resolve allegations it failed to protect patient information in two separate ransomware attacks that exposed names, Social Security numbers, medical records, and health insurance details of approximately 2.8 million people. The settlement in Womack-Devereaux et al. v. McLaren Health Care Corporation (Case No. 24-121459) provides cash compensation and identity theft protection for all affected patients.
What Happened In The McLaren Health Care Data Breaches
McLaren experienced two devastating cyberattacks within one year. The first breach occurred between July 28 and August 23, 2023, when the ALPHV or BlackCat ransomware group gained unauthorized access to McLaren’s computer systems. Hackers accessed over 8.2 terabytes of private patient data stored across the Michigan-based healthcare network.
Then lightning struck twice. Between July 17 and August 3, 2024, another unauthorized actor infiltrated McLaren’s network, potentially compromising the same types of sensitive information. The double breach triggered multiple lawsuits that were consolidated before Judge B. Chris Christenson in the 7th Judicial Circuit Court of Genesee County, Michigan.
McLaren Health Care operates 13 hospitals across Michigan and Ohio, including facilities in Flint, Lansing, Port Huron, and Bay City. The breaches affected current and former patients at all McLaren locations, plus those treated at affiliated Karmanos Cancer Institute.
What Personal Information Was Exposed
The compromised data varies by individual but potentially includes names, Social Security numbers, dates of birth, medical record numbers, health insurance policy numbers, billing and claims information, detailed medical information including diagnoses and treatment records, and prescription information.
This combination creates severe identity theft and medical fraud risk. Criminals can use Social Security numbers to open fraudulent accounts, file false tax returns, and access financial services. Medical information enables healthcare fraud where criminals use stolen identities to obtain prescription drugs, file fraudulent insurance claims, or receive medical treatment under someone else’s name.
Similar to the $4M Numotion Data Breach Class Action Settlement Claim Up To $15,000 By March 18, 2026, this case highlights ongoing vulnerabilities in healthcare data security affecting millions of patients nationwide.
Who Can File A Claim
You’re eligible if you’re a natural person whose private information may have been compromised in either the July 28-August 23, 2023 breach or the July 17-August 3, 2024 breach, including anyone who received a data breach notification letter or email from McLaren Health Care Corporation.
All United States residents whose confidential information was potentially affected qualify, regardless of which McLaren facility provided your care. The settlement covers patients at McLaren Flint, McLaren Greater Lansing, McLaren Oakland, McLaren Macomb, McLaren Northern Michigan, McLaren Port Huron, McLaren Central Michigan, McLaren Lapeer Region, McLaren Thumb Region, McLaren Caro Region, McLaren Bay Region, McLaren Bay Special Care, and Karmanos Cancer Institute.
How Much Money You Can Receive
The $14 million settlement fund offers multiple benefit options:
Documented Loss Payment (Up To $5,000): You can claim reimbursement for actual out-of-pocket losses and expenses traceable to the data breach that occurred on or after July 28, 2023. Eligible expenses include unreimbursed fraud losses, professional fees related to identity theft or tax fraud, lost interest from delayed tax refunds, credit freeze expenses, credit monitoring costs, and miscellaneous expenses such as notary fees, postage, or mileage.
You must provide reasonable documentation showing your expenses resulted from the breach and weren’t reimbursed by another source. Supporting documentation includes bank or credit card statements showing unreimbursed fees or fraud charges, receipts, invoices, credit reports showing fraudulent accounts, and proof of monetary losses due to fraud or identity theft.
Pro-Rata Cash Payment (No Documentation Required): If you don’t have documented losses or prefer not to gather receipts, you can claim a flat pro-rata cash payment. The amount depends on how many class members file claims and how much of the settlement fund remains after documented loss claims, attorney fees, administration costs, and class representative awards are paid.
One-Year Credit Monitoring: All class members can elect to receive one year of one-bureau medical monitoring and identity theft protection services. This benefit includes dark web scanning, $1 million in reimbursement insurance, fully managed identity restoration services, and lost wallet assistance.
Even if you currently have credit monitoring through another service, you can still claim this benefit and defer enrollment for up to one year from receipt.
How To File Your Claim Before April 29, 2026
To submit your claim online, visit www.MHCCSettlement.com and enter your unique Notice ID and Confirmation Code found on your breach notification letter. If you didn’t receive a notice but believe you should be included in the settlement class, you must mail a paper claim form with supporting documentation showing you were impacted by one of the data breaches.
You can also download a PDF claim form from the settlement website, complete it, and mail it to:
MHCC Class Action Settlement
c/o Settlement Administrator
1650 Arch Street, Suite 2210
Philadelphia, PA 19103
The claim deadline is April 29, 2026. Online claims must be submitted by this date, and mailed claims must be postmarked no later than April 29, 2026.
For questions, call the settlement administrator at 1-844-685-4251 or email [email protected].
Timeline Of The McLaren Settlement
The settlement agreement was signed on January 12, 2026, after months of negotiations following the discovery of the second breach. Settlement notices began going out to affected patients on January 29, 2026.
The court granted preliminary approval on December 15, 2025. The final approval hearing is scheduled for April 21, 2026 at 10:00 a.m. before Judge B. Chris Christenson.
Payments and credit monitoring codes will be issued to approved claimants approximately 75 days after the court grants final approval and all appeals are resolved. If final approval occurs as scheduled on April 21 with no appeals, expect payments around early July 2026.
What The Lawsuit Alleged
Plaintiffs Cindy Womack-Devereaux, Sue Ranney, and Kayle Gries filed consolidated class actions alleging McLaren failed to adequately protect patient information despite storing highly sensitive medical and personal data. The lawsuits claimed McLaren violated the Health Insurance Portability and Accountability Act (HIPAA), the Michigan Consumer Protection Act, and the Federal Trade Commission Act.
Specific allegations included failure to implement reasonable cybersecurity safeguards, inadequate employee training on data security, delayed notification to affected patients, and continued security vulnerabilities that allowed a second breach to occur after the first attack.
BlackCat was a known threat actor at the time the first breach occurred, and plaintiffs alleged McLaren neglected to employ adequate mitigation and defense strategies to protect patient information from such attacks.
McLaren’s Response And Required Security Improvements
McLaren Health Care denies all allegations and has not admitted any wrongdoing. No court has made any judgment of liability. McLaren agreed to settle to avoid the risk and expense of continued litigation.
As part of the settlement, McLaren committed to implement enhanced data security measures for at least two years to better protect the sensitive information it stores. While specific improvements weren’t publicly detailed, standard post-breach security enhancements typically include improved network monitoring, stronger access controls, multi-factor authentication, employee cybersecurity training, and regular security audits.
What You Need To Know About Healthcare Data Breach Settlements
Healthcare data breaches exposed 133 million patient records in 2023 alone, making medical information one of the most valuable commodities on the dark web. Your medical records are worth approximately 50 times more than credit card data because they contain comprehensive personal information that can’t easily be changed.
The $14 million McLaren settlement falls within the typical range for healthcare data breaches affecting 2-3 million individuals. Comparable recent settlements include the WebTPA Data Breach Settlement Approved $13.75 Million Available To 2.4 Million Victims and the Nelnet Data Breach Class Action Lawsuit $10M Settlement Pays Up To $5,000 Cash.
Class members who file documented loss claims typically receive significantly more than those claiming pro-rata payments. According to settlement administration data, 96% of settlement funds go unclaimed because affected individuals either miss deadlines or don’t understand their eligibility.
Steps To Protect Yourself After The Breach
Even if you file a claim, take immediate protective action. Place a fraud alert on your credit reports through Equifax, Experian, or TransUnion. Consider freezing your credit to prevent new accounts from being opened without your authorization.
Monitor all bank accounts and credit card statements for unauthorized transactions. Review your Explanation of Benefits (EOB) statements from your health insurance company for medical services you didn’t receive—a red flag for medical identity theft.
Check your credit reports from all three bureaus for accounts you didn’t open. Sign up for the free credit monitoring offered through the settlement even if you already have another service.
Review your medical records with your healthcare providers to ensure no unauthorized treatments, prescriptions, or diagnoses appear. Medical identity theft can affect your health insurance coverage and even lead to incorrect information in your medical files that could impact future treatment.
Frequently Asked Questions
What is the McLaren Health Care $14M Data Breach Class Action Settlement about?
The settlement resolves claims that McLaren Health Care failed to adequately protect patient information, resulting in two separate ransomware attacks in 2023 and 2024 that compromised the personal and medical information of approximately 2.8 million patients. The settlement provides cash compensation and credit monitoring to affected individuals.
How many patients were affected by McLaren Health Care’s data breaches?
Approximately 2.8 million current and former patients were impacted by the two breaches combined. All affected individuals who received breach notifications from McLaren or Karmanos Cancer Institute are eligible to file claims.
What personal health information was compromised?
The compromised data varies by individual but potentially includes names, Social Security numbers, dates of birth, medical record numbers, health insurance information, billing and claims data, detailed medical information including diagnoses and treatment records, and prescription information.
How do I know if my data was affected?
If you received a data breach notification letter or email from McLaren Health Care Corporation or Karmanos Cancer Institute about the 2023 or 2024 incidents, your information was likely compromised. The notification contains your unique Notice ID and Confirmation Code needed to file claims online.
What is the deadline to file a claim?
The claim deadline is April 29, 2026. Online claims must be submitted by this date, and mailed claims must be postmarked no later than April 29, 2026. Missing this deadline forfeits all settlement benefits.
How much compensation could I receive?
You can claim up to $5,000 for documented losses related to the breach with supporting documentation, or a flat pro-rata cash payment if you file without documentation. The pro-rata amount depends on the total number of claims filed. All class members also qualify for one year of credit monitoring services.
Do I need proof of identity theft to file a claim?
No. You don’t need to prove you suffered actual identity theft or fraud. If you received a breach notification, you’re eligible for at least the pro-rata cash payment and credit monitoring services without providing any documentation of losses.
When will I receive my settlement payment?
Payments and credit monitoring activation codes will be issued to approved claimants approximately 75 days after the court grants final approval on April 21, 2026, assuming no appeals are filed. Expect payments around early July 2026 if the settlement receives final approval as scheduled.
Disclaimer: This article provides general information about the McLaren Health Care class action settlement and should not be considered legal advice. Settlement details are based on publicly available court documents and official settlement notices. For questions about your specific eligibility or claim, contact the settlement administrator or consult a qualified attorney.
Stay informed, stay protected. — AllAboutLawyer.com
Last Updated: February 7, 2026
About the Author
Sarah Klein, JD, is a licensed attorney and legal content strategist with over 12 years of experience across civil, criminal, family, and regulatory law. At All About Lawyer, she covers a wide range of legal topics — from high-profile lawsuits and courtroom stories to state traffic laws and everyday legal questions — all with a focus on accuracy, clarity, and public understanding.
Her writing blends real legal insight with plain-English explanations, helping readers stay informed and legally aware.
Read more about Sarah