McLaren Health Care Data Breach 2025 (INC Ransom): 743,131 Michigan Patients and Employees Exposed. $14M Settlement Reached. What To Do
McLaren Health Care notified 743,131 people on June 20, 2025 that the INC Ransom group accessed its network from July 17 to August 3, 2024, stealing names, Social Security numbers, driver's license numbers, and medical and health insurance information. A $14M class settlement received final court approval April 21, 2026. Here is what to do.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Jul 17, 2024
Unauthorized access to McLaren and Karmanos Cancer Institute network begins
Aug 3, 2024
Attacker access ends
Aug 5, 2024
McLaren detects suspicious activity on its computer systems
May 5, 2025
File review concludes; McLaren confirms PHI of 743,131 individuals was involved
Jun 20, 2025
McLaren begins mailing individual notification letters; 12 months of credit monitoring offered
Jun 24, 2025
Breach reported to HHS Office for Civil Rights as a Hacking/IT Incident at Network Server
Dec 15, 2025
Preliminary approval of $14M consolidated class settlement (covers 2023 and 2024 breaches)
Apr 21, 2026
Final approval of $14M settlement in Womack-Devereaux v. McLaren (Genesee County Cir. Ct. No. 24-121459)
Jul 17, 2024
Unauthorized access to McLaren and Karmanos Cancer Institute network begins
Aug 3, 2024
Attacker access ends
Aug 5, 2024
McLaren detects suspicious activity on its computer systems
May 5, 2025
File review concludes; McLaren confirms PHI of 743,131 individuals was involved
Jun 20, 2025
McLaren begins mailing individual notification letters; 12 months of credit monitoring offered
Jun 24, 2025
Breach reported to HHS Office for Civil Rights as a Hacking/IT Incident at Network Server
Dec 15, 2025
Preliminary approval of $14M consolidated class settlement (covers 2023 and 2024 breaches)
Apr 21, 2026
Final approval of $14M settlement in Womack-Devereaux v. McLaren (Genesee County Cir. Ct. No. 24-121459)
Data exposed
01
High-risk identity
Enables financial + identity theft
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
McLaren Health Care, the 13-hospital nonprofit system headquartered in Grand Blanc, Michigan, disclosed on June 24, 2025 that the INC Ransom group held undetected access to its network and the Karmanos Cancer Institute network from July 17 through August 3, 2024, exfiltrating files containing the names, Social Security numbers, driver’s license numbers, medical information, and health insurance information of 743,131 patients and employees. McLaren began mailing notification letters on June 20, 2025, nearly eleven months after detecting the intrusion.
Timeline
- July 17, 2024. Unauthorized access to McLaren and Karmanos Cancer Institute systems begins.
- August 3, 2024. Attacker access ends.
- August 5, 2024. McLaren detects suspicious activity, triggering a forensic investigation and patient-care disruptions across its Michigan hospitals.
- May 5, 2025. File review concludes. McLaren confirms 743,131 individuals’ protected health information was in the affected files.
- June 20, 2025. Individual notification letters begin going out. McLaren offers 12 months of complimentary credit monitoring and identity-theft protection.
- June 24, 2025. Breach reported to the HHS Office for Civil Rights as a Hacking/IT Incident at a Network Server.
- December 15, 2025. A Michigan state court grants preliminary approval to a consolidated $14 million class settlement covering both the 2023 BlackCat breach and this 2024 INC Ransom breach.
- April 21, 2026. Final approval is granted in Womack-Devereaux v. McLaren Health Care Corp., Genesee County Circuit Court Case No. 24-121459.
What was exposed
According to McLaren’s notification letters, the files accessed by INC Ransom contained:
- Names
- Social Security numbers
- Driver’s license numbers
- Medical information (which can include treatment, diagnosis, and provider details)
- Health insurance information
Not every category applies to every individual. The notification letter sent to each person lists the specific elements implicated for that person.
Context: this is McLaren’s second ransomware breach
This is the second major ransomware incident at McLaren in roughly twelve months. In November 2023, McLaren disclosed that the ALPHV/BlackCat group had stolen the PHI of 2,103,881 patients in a July 2023 intrusion. INC Ransom’s July 2024 attack came less than a year later and forced the system to operate parts of its hospital network in downtime procedures. INC Ransom briefly listed McLaren on its data-leak site but subsequently removed the listing; security press has reported this pattern is consistent with a ransom payment, though McLaren has not publicly confirmed or denied paying.
What McLaren is offering
Individuals identified in the file review are eligible for 12 months of complimentary credit monitoring and identity-theft protection through IDX, a leading identity-protection vendor. IDX’s services include dark-web monitoring, $1 million identity-theft reimbursement insurance, fully managed identity restoration, member advisory services, and lost-wallet assistance. Enrollment instructions and a unique activation code are included in each individual notification letter.
McLaren filed breach notices with the Maine, Massachusetts, and Vermont attorneys general on June 20, 2025. The Maine filing confirmed 25 Maine residents were affected; the Massachusetts filing confirmed 85 Massachusetts residents were affected.
Class-action posture
The 2024 INC Ransom breach was consolidated with pending litigation from the 2023 BlackCat breach in the State of Michigan 7th Judicial Circuit Court for Genesee County (No. 24-121459, Womack-Devereaux, et al. v. McLaren Health Care Corp.). Benjamin F. Johns of Shub Johns & Holbrook LLP serves as co-lead class counsel, with Miller Law Firm, P.C. and Milberg LLC on the plaintiff side. Murphy Law Firm publicly opened its own investigation in June 2025. Preliminary approval of the $14 million settlement was entered on December 15, 2025, and the court granted final approval on April 21, 2026.
Class members were eligible to claim documented out-of-pocket losses up to $5,000, a pro rata cash payment (no documentation required), or one year of IDX credit monitoring and identity-theft protection. The claims deadline was April 29, 2026 and is now closed. Settlement administration is handled by the Angeion Group (www.MHCCSettlement.com; 1-844-685-4251). Distribution to claimants will follow resolution of any appeals.
What to do
- Activate the IDX credit monitoring offer. If you received a notification letter from McLaren, it includes a unique activation code for 12 months of IDX identity-protection services — dark-web monitoring, $1 million reimbursement insurance, and identity restoration. There is no cost to you. Activate it now if you have not already done so.
- Freeze your credit at all three bureaus. Contact Equifax, Experian, and TransUnion directly to place a security freeze. This stops new accounts from being opened in your name and is independent of any IDX monitoring McLaren provides.
- File IRS Form 14039 if your Social Security number was exposed. This flags your account for identity-theft monitoring with the IRS and reduces the risk of a fraudulent tax return being filed in your name.
- Watch for medical-identity-theft signals. Review Explanations of Benefits from your insurer and request a copy of your medical record from McLaren or Karmanos Cancer Institute to confirm no fraudulent encounters appear.
- The class settlement claims period has closed (deadline was April 29, 2026). If you submitted a valid claim, payment will follow once any post-approval appeals are resolved. Visit www.MHCCSettlement.com or call 1-844-685-4251 for status updates.
- Be skeptical of unsolicited contact. Phishing calls and emails referencing the McLaren breach are predictable. McLaren will not ask you to verify your Social Security number by phone or email.
- Stop the ongoing flow of your health data. HealthConsent files HIPAA restriction requests so the medical and health insurance information exposed in this breach is not continuously re-shared across provider networks, health information exchanges, and downstream business associates.
Sources
- HHS Office for Civil Rights Breach Portal - federal regulatory record (743,131 / Hacking/IT Incident / Network Server, reported 6/24/2025).
- HIPAA Journal: McLaren Health Care Notifies Almost 750,000 Individuals About August 2024 Ransomware Attack
- HIPAA Journal: McLaren Health Care Pays $14 Million to Settle Litigation Over Ransomware Attacks
- BleepingComputer: McLaren Health Care says data breach impacts 743,000 patients
- BankInfoSecurity: McLaren Health Says 743,000 Affected by 2024 Ransomware Hack
- American Bar Association Health Law News: McLaren Health Care Informs Individuals of Significant Data Breach
- Shub Johns & Holbrook LLP: McLaren Health Data Breach Class Action - Final Approval
- ClassAction.org: McLaren Health Care Data Breach Lawsuit Investigation (June 2025)
- DataBreaches.net: McLaren provides written notice to 743,131 patients (June 2025)
- Michigan Attorney General Dana Nessel: Consumer Alert After McLaren Cyber Attack (August 2024)
- The Register: Cyberattack on McLaren Health Care affects 743k
- SecurityWeek: 743,000 Impacted by McLaren Health Care Data Breach
- ClaimDepot: MHCC Data Breach Settlement (Angeion Group / MHCCSettlement.com)
Continue reading
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS OCR Breach Portal (743,131 / Hacking/IT Incident / Network Server)
- HIPAA Journal: McLaren Health Care Notifies Almost 750,000 Individuals About August 2024 Ransomware Attack
- HIPAA Journal: McLaren Health Care Pays $14 Million to Settle Litigation Over Ransomware Attacks
- BleepingComputer: McLaren Health Care says data breach impacts 743,000 patients
- BankInfoSecurity: McLaren Health Says 743,000 Affected by 2024 Ransomware Hack
- American Bar Association: McLaren Health Care Informs Individuals of Significant Data Breach
- Shub Johns & Holbrook: McLaren Health Data Breach Class Action - Final Approval
- ClassAction.org: McLaren Health Care Data Breach Lawsuit Investigation (June 2025)
- DataBreaches.net: McLaren provides written notice to 743,131 patients after ransomware attack (June 2025)
- Michigan Attorney General Dana Nessel: Consumer Alert After McLaren Cyber Attack (August 2024)
- The Register: Cyberattack on McLaren Health Care affects 743k
- ClaimDepot: $14M MHCC Data Breach Settlement (Angeion Group administrator)
- SecurityWeek: 743,000 Impacted by McLaren Health Care Data Breach
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.