Breach of healthcare data is more serious than regular corporate security lapses. It is inconvenient when a retailer misplaces your email address. The consequences of a hospital network losing your Social Security number, insurance information, and medical records can last for years, manifesting as credit reports that take months to resolve, fraudulent accounts, and inaccurate medical histories. The $14 million class action settlement from McLaren Health Care Corporation must be interpreted in light of this.
In consecutive summers, McLaren, a nonprofit health system with 14 hospitals and more than 250 locations throughout Michigan, experienced two distinct data breaches. The first took place between July 28 and August 23, 2023. The second took place from July 17 to August 3, 2024, nearly a year later. Sensitive personal data, including names, Social Security numbers, health insurance information, and medical records, belonging to both current and past patients, was made public in both incidents. Approximately 2.8 million people were impacted by both breaches, according to court documents submitted in the Genesee County case. It’s not a rounding error. That represents a sizeable chunk of Michigan’s overall population.
The lawsuit, Womack-Devereaux, et al. v. McLaren Health Care Corp., claimed that the breaches could have been avoided and that McLaren had neglected to put in place appropriate cybersecurity measures. Like most defendants in class action settlements, McLaren denied any wrongdoing but agreed to pay $14 million to settle the claims and pledged to keep improved data security systems in place for at least two years. A final approval hearing is set for April 21, 2026, after the settlement was granted preliminary court approval in December 2025.
The settlement provides multiple avenues for compensation for those who received breach notification letters, many of whom received them twice, once for each incident. For class members who can demonstrate out-of-pocket costs directly related to the breaches, such as bank fees, identity theft recovery costs, credit monitoring costs, or time spent handling the fallout, the largest option is a documented loss payment of up to $5,000. These losses must have occurred on or after July 28, 2023, and they must be accompanied by supporting documentation, such as bank statements, invoices, receipts, or other paper records. An alternative pro rata cash payment without proof is available for class members who are unable or unwilling to obtain documentation; however, the amount will vary based on the final number of claims filed and the portion of the fund allotted to documented-loss payouts. Additionally, IDX Identity Protection Services, which includes dark web monitoring and up to $1 million in reimbursement insurance, offers a complimentary year of credit monitoring and identity theft protection to all eligible class members.
It’s difficult to ignore the fact that McLaren had previously been involved in a federal settlement. In January 2021, the company paid $7.75 million to settle claims made by the U.S. Department of Justice regarding violations of controlled substance handling at several Michigan facilities. Although the behavior in that case was completely different, it raises unsettling concerns about the institutional compliance culture at a health system this size. It is genuinely difficult to determine from the outside whether the 2023 and 2024 breaches are indicative of anything systemic or if they are the same type of incidents that have struck hospitals and health networks nationwide with startling regularity in recent years.
For those who are impacted, the practical urgency is clear. April 29, 2026, was the deadline for submitting a claim, either by mail or online at the official settlement website. To verify their eligibility, anyone who has not yet filed but received a breach notice from McLaren should call the settlement administrator at 1-844-685-4251. Actual payments are still some time off because the settlement funds are only disbursed following final court approval and the conclusion of any appeals. However, the window of opportunity for 2.8 million people whose data was reportedly accessible to hackers for weeks at a time—twice—to take part in any compensation that is offered is getting smaller.
