McLaren Health Care Data Breach Lawsuit Says 2.5 Million Patients Impacted by October 2023 Cyberattack

New to ClassAction.org? Read our Newswire Disclaimer

A proposed class action lawsuit alleges Michigan-based McLaren Health Care Corporation failed to implement reasonable, industry-standard cybersecurity measures prior to a massive early-October 2023 data breach that affected current and former patients. 

Did you receive a data breach notice from McLaren Health Care Corporation? Let us know here. 

The 78-page case relays that a ransomware outfit known as ALPHV/BlackCat on October 3 “took credit” for the McLaren Health Care data breach, claiming to have stolen six terabytes of data belonging to roughly 2.5 million patients. The suit accuses McLaren, whose system includes 13 hospitals in Michigan, of storing current and former patient data in “a reckless manner,” in particular in a condition vulnerable to cyberattacks. 

Further, the lawsuit calls the method by which the hackers infiltrated McLaren’s systems a “known risk” to the corporation, which was thus “on notice that failing to take steps necessary to secure the Private Information from those risks left that property in a dangerous condition.” 

“Plaintiff’s and Class Members’ identities are now at risk because of Defendant’s negligent conduct because the Private Information that Defendant collected and maintained is now in the hands of data thieves,” the suit states. 

According to the lawsuit, the information compromised in the McLaren Health Care data breach included personally identifiable information and medical and health insurance details, including names, dates of birth, Social Security numbers, and medical and treatment data. 

The injuries sustained by McLaren data breach victims include not only the theft of their private information but also the lost or diminished value of that data, lost time associated with mitigating the fallout of the data breach, out-of-pocket costs linked to credit monitoring and credit freezes, and the continued risk of fraud and identity theft, the case says. 

McLaren, in late August, reportedly detected “suspicious activity” on its computer network and immediately launched an investigation into the source of the disruption. As a result of this inquiry, McLaren learned that it did, in fact, experience a ransomware attack, the suit shares. Around September 29, ALPHV/BlackCat claimed responsibility for the incident, the latest in a long string of ransomware attacks targeted at companies that maintain sensitive patient data, the case relays. 

The lawsuit asserts that current and former patients’ data was not encrypted in McLaren’s systems and “was or soon will be published on the dark web” and made available for purchase. 

The case looks to cover all persons in the United States whose personal and/or health information was compromised as a result of the McLaren Health Care data breach. 

Did you receive a data breach notice from McLaren Health Care Corporation? Let us know here.