Alphv/BlackCat Ransomware Settlements Costing Healthcare Organizations Millions

The Alphv/BlackCat ransomware gang was one of the most active and damaging in the last several years. Before the FBI took them down in 2024, the group hit many high-profile targets. One of its most notable attacks was against UnitedHealth, which impacted patient care nationwide and compromised the data of at least 190 million people. Other major Alphv/BlackCat ransomware victims included a Las Vegas hotel and a Fortune 500 title insurance provider. The most frequent target was healthcare organizations. Now, many of those organizations are having to pay millions to settle lawsuits that followed the ransomware attacks and resulting data breaches.

NextGen Healthcare

Atlanta-based NextGen Healthcare agreed to establish a settlement fund of $19,375,000 after a 2023 BlackCat attack that compromised the data of more than one million people. Information in the data breach included names, addresses, dates of birth, and Social Security numbers. Plaintiffs in the lawsuit alleged NextGen failed to properly secure and encrypt the systems containing the Plaintiffs’ private information, even though the company was the victim of another breach just months before.

McLaren Health

Michigan’s McLaren Health Care agreed to pay $14 million to settle a class action lawsuit stemming from two data breaches. The first breach put the sensitive information of 2.5 million people at risk and was the result of a 2023 Alphv/BlackCat attack. In 2024, McLaren was the victim of another ransomware attack. A group called Inc Ransom claimed responsibility for that attack. The resulting data breach impacted 740,000 people.

Norton Healthcare

Kentucky-based Norton Healthcare agreed to pay $11 million to settle the lawsuit it faced after a 2023 Alphv/BlackCat attack resulted in a data breach impacting 2.5 million people. In a notification letter, Norton stated the compromised data included: names, contact information, Social Security numbers, dates of birth, health information, insurance information, and medical identification numbers. In some instances, driver’s license numbers or other government ID numbers, financial account numbers, and digital signatures could have been taken.

Protect your Business From Ransomware

Alphv/BlackCat may have been shut down, but there are plenty of other ransomware organizations to be concerned about. Here are some steps healthcare organizations can take to better protect themselves:

Implement Robust Backup and Recovery Processes

Healthcare organizations should maintain frequent, automated backups of critical systems, including Electronic Health Records (EHRs), imaging systems, billing platforms, and shared drives. A good rule to follow is the 3-2-1 rule: three copies of data, on two different media types, with one copy stored offline. Regularly test restoration procedures to ensure backups are functional and recovery time objectives are realistic. Offline backups are essential because ransomware often attempts to encrypt or delete connected backup systems.

Enforce Multi-Factor Authentication (MFA) Everywhere Possible

Compromised credentials are a leading cause of ransomware incidents. Enforcing MFA for remote access (VPN, RDP), email accounts, cloud services, and privileged accounts significantly reduces unauthorized access risk. Healthcare environments often have legacy systems, so prioritizing MFA deployment on internet-facing and high-privilege systems is critical.

Maintain Aggressive Patch and Vulnerability Management

Unpatched software creates exploitable entry points for attackers. Healthcare organizations should maintain a comprehensive asset inventory and apply security patches based on risk prioritization, especially for externally exposed systems. Where legacy clinical systems cannot be patched, compensating controls such as network isolation and strict access restrictions should be implemented. Routine vulnerability scanning and penetration testing help identify any further gaps.

Segment Networks and Limit Lateral Movement

Flat networks allow ransomware to spread rapidly across clinical and administrative systems. Network segmentation separates critical systems (EHR, PACS, pharmacy systems) from general user workstations and guest networks. Access controls should follow the principle of least privilege, ensuring users and systems can only access what is necessary for their role.

Security Awareness Training

Phishing remains one of the most common points of entry for attackers. Consistent and interactive training helps staff better recognize suspicious emails, malicious attachments, and social engineering tactics. Simulated phishing exercises reinforce learning and identify departments that may need additional education. Training should be conducted at least annually for all employees, including those newly onboarded.

Develop and Test an Incident Response Plan

Healthcare organizations must assume that prevention alone is not enough. A documented ransomware-specific incident response plan should define roles, communication protocols, regulatory reporting obligations, and downtime procedures for maintaining patient care. Tabletop exercises and live simulations help leadership and IT teams practice decision-making under pressure.

Deploy Advanced Endpoint Detection and Monitoring

Traditional antivirus software is no longer sufficient against modern ransomware. Endpoint Detection and Response (EDR) or Managed Detection and Response (MDR) solutions provide behavioral monitoring, rapid threat containment, and forensic visibility. Continuous monitoring enables early detection of suspicious activity, such as unusual file encryption patterns. Early containment can prevent a localized compromise from becoming an enterprise-wide crisis.

CompliancePoint has a long history of helping healthcare organizations improve their cybersecurity posture, achieve HIPAA compliance, and secure HITRUST certification. Reach out to us at connect@compliancepoint.com to learn more about our services.