A class action alleges McLaren Health Care Corporation failed to implement reasonable, industry-standard cybersecurity prior to an early-October 2023 data breach.
A recent class action lawsuit alleges Michigan-based McLaren Health Care Corporation failed to implement reasonable, industry-standard cybersecurity measures prior to a massive early-October 2023 data breach that affected current and former patients.
According to the lawsuit, a ransomware outfit known as ALPHV/BlackCat on October 3 “took credit” for the McLaren Health Care data breach, claiming to have stolen six terabytes of data belonging to roughly 2.5 million patients. The suit accuses McLaren, whose system includes 13 hospitals in Michigan, of storing current and former patient data in “a reckless manner,” in particular in a condition vulnerable to cyberattacks.
Further, the lawsuit calls the method by which the hackers infiltrated McLaren’s systems a “known risk” to the corporation, which was thus “on notice that failing to take steps necessary to secure the Private Information from those risks left that property in a dangerous condition.”
The lawsuit claims that over 2.5 million current and former patient identities are now at risk because of McLaren’s negligent failure to implement data standards as required by the Health Insurance Portability and Accountability Act (HIPAA) despite its’ claim that it abides by this standard.
According to the lawsuit, the information compromised in the McLaren Health Care data breach included personally identifiable information and medical and health insurance details, including names, dates of birth, Social Security numbers, and medical and treatment data.
The injuries sustained by McLaren data breach victims include not only the theft of their private information but also the lost or diminished value of that data, lost time associated with mitigating the fallout of the data breach, out-of-pocket costs linked to credit monitoring and credit freezes, and the continued risk of fraud and identity theft, the case says.
How did this happen?
McLaren, in late August, reportedly detected “suspicious activity” on its computer network and immediately launched an investigation into the source of the disruption. As a result of this inquiry, McLaren learned that it did, in fact, experience a ransomware attack, the suit shares. Around September 29, ALPHV/BlackCat claimed responsibility for the incident, the latest in a long string of ransomware attacks targeted at companies that maintain sensitive patient data, the case relays.
The lawsuit asserts that current and former patients’ data was not encrypted in McLaren’s systems and “was or soon will be published on the dark web” and made available for purchase.
Join The McLaren Health Care Class Action
The case looks to cover all persons in the United States whose personal and/or health information was compromised as a result of the McLaren Health Care data breach.